Security - securing an email server?
jZaw - Sep 03, 2003 - 08:02 PM
Post subject: securing an email server?
I'm wondering if Eusty can help me with an email server I've just set up
I need to make sure I'm not running as an open relay

Embarassed

rofl
eusty - Sep 03, 2003 - 10:36 PM
Post subject:
http://www.abuse.net/relay.html

Connecting to mail.eusty.net for anonymous test ...

<<< 220 eusty.net Mercury/32 v3.32 ESMTP server ready.
>>> HELO www.abuse.net
<<< 250 eusty.net Hello, www.abuse.net.

Relay test 1
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@abuse.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 2
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 3
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 4
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 5
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@[81.6.244.57]>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 6
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest%abuse.net@eusty.net>
<<< 550 Address '<relaytest%abuse.net@eusty.net>' not known here.

Relay test 7
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest%abuse.net@[81.6.244.57]>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 8
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<"relaytest@abuse.net">
<<< 553 Invalid RFC821 mailbox specification.

Relay test 9
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<"relaytest%abuse.net">
<<< 553 Invalid RFC821 mailbox specification.

Relay test 10
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net@eusty.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 11
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<"relaytest@abuse.net"@eusty.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 12
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<relaytest@abuse.net@[81.6.244.57]>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 13
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<@eusty.net:relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 14
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<@[81.6.244.57]:relaytest@abuse.net>
<<< 553 We do not relay without RFC2554 authentication.

Relay test 15
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<abuse.net!relaytest>
<<< 553 Invalid RFC821 mailbox specification.

Relay test 16
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<abuse.net!relaytest@eusty.net>
<<< 550 Address '<abuse.net!relaytest@eusty.net>' not known here.

Relay test 17
>>> RSET
<<< 250 Command processed OK.
>>> MAIL FROM:<spamtest@eusty.net>
<<< 250 Sender OK - send RCPTs.
>>> RCPT TO:<abuse.net!relaytest@[81.6.244.57]>
<<< 553 We do not relay without RFC2554 authentication.

Relay test result
All tests performed, no relays accepted.
Anonymous - Sep 03, 2003 - 10:39 PM
Post subject:
héhé sorry i couldnt resist ... i had heard othewise
jZaw - Sep 03, 2003 - 10:41 PM
Post subject:
that last one was me ... for some reason i forgot to log in Mr. Green
Anonymous - Sep 04, 2003 - 10:40 AM
Post subject:
I've been having problems with relay attempts from the far east, loads of them!!!
I've had to set the firewall to drop some IP blocks on port 25 to stop my mail server going crazy !!
eusty - Sep 04, 2003 - 10:35 PM
Post subject:
oops I forgot to log on too Embarassed
CTCNetwork - Oct 16, 2003 - 01:26 AM
Post subject:
Well, Well, Well, fancy meeting you two here . . ;o)
Mr. Green
eusty - Oct 16, 2003 - 08:42 AM
Post subject:
It's a small world!! Wink
jZaw - Apr 21, 2004 - 12:40 PM
Post subject:
Eusty wrote:
I've been having problems with relay attempts from the far east, loads of them!!!
I've had to set the firewall to drop some IP blocks on port 25 to stop my mail server going crazy !!


yeah i have half of china half of korea and most of nigeria blocked in my firewall too

damn annoying spammer scammers grrr
Anonymous - Jul 16, 2004 - 02:22 PM
Post subject:
Greetings,

Apart from my firewall (Agnitum Outpost Pro), I also use Block List Manager. Idea

One of the lists it downloads includes the blocks of IPs for Far Eastern countries known for spamming/relaying/hacking/etc.

I've found its lists particularly useful as a plug-in to my firewall - apart from all the other security-related applications/tweaks I have! Very Happy

Kindest regards,

James
jZaw - Jul 16, 2004 - 04:45 PM
Post subject:
hi james

yeah i just build up my own lists of non-desirable ips mostly chinese korean nigerian and a few brasilian

its easy

when a spam or worse one of those nigerian scam emails gets through i whois the ip its come from
and lo and behold mostly its from china or nigerian and then i block the whole subnet
im quite ruthless about it

if its a euro or us provider and its a big block i defo inform them
usually they respond with thanks ... more isp's are taking a very hard line with spam and open relays

if is a tiny ip range say just 32, 64 or 128 ips ... i dont bother
i just block it
more than likely the spam is coming from someone who has control over such a small subnet
so asking them to cull spammer accounts is basically confirming your own email to them ... they they add you a REAL ADDRESS list

also in my mail server i also block selective domains like BIGPOND.NET etc
and variation there off

also in the mail server for a certain list of domains such as hotmail yahoo etc
i do a dns look up then an rdns and then match against the helo/ehlo and if it doesnt match i drop that mail at the server ... it never reaches the mail client

finally i use spamhaus rbl ... wonderful for catching the stragglers

i know of no false positives this way so far
and at most i get 1 spam a week for all of my 7 various domains' mail servers i run here

the logs show me 100 sometimes more attemps per day thank goodness they dont get through
EagleOwl - Jul 16, 2004 - 08:10 PM
Post subject:
Greetings,

(Yes - I'm the "Guest" to whom you replied!)

That's quite a procedure you've incorporated, jZaw!

Apart from blocking IP addresses, I use a couple of anti-spam packages for my email - MailWasher Pro (server-side) and Spam Inspector (client-side).

The reason for using two is that although MWP starts up Outlook, you have to manually click Send/Receive - this time difference could allow a new mail to be downloaded directly into your client without first being processed by MWP.

Besides, I'm paranoid! Twisted Evil - and it's worked! - I've never had a virus/spyware or anything nasty since 1998 (when I bought my computer)!

Very Happy

Spam Inspector has a very useful tool - it tells you if it's safe to use the included "unsubscribe" option in the email - this way, you can safely do so for legitimate mail. Obviously, if it's not safe, I just let my anti-spam packages treat it as normal spam.

I find that MWP is great for deleting emails BEFORE you waste time downloading them - I use the ORDB and Spamhaus filters.

They are extremely effective used in combination - recommended by both the Computer Cops and the Outposts Firewall Users' Support Forum sites, amongst others.

MWP also has a FirstAlert! facility which adds the spammers details to a database accessible to all MWP users who use this facility. Spam Inspector also allows you to report spam to SpamCop.

Kindest regards,

Eagle Owl
eusty - Jul 16, 2004 - 09:56 PM
Post subject:
A Linko for anyone Smile
Anonymous - Jul 16, 2004 - 11:21 PM
Post subject:
Greetings,

Yes eusty, that's the online blocklist builder/converter/exporter - handy for people who don't want to download the BLM.

Does this mean that others here might not have been aware of this useful tool? Shocked

I've used it for a while now with success - the only problem which occurs is when you go to a site and you hear a sharp "CLICK!"; this means that your firewall has stopped you from accessing a site - most likely due to the Blockpost plug-in.

If this is a site you've been happily visiting without problems, it's probably because the Blockpost plug-in has that IP included - perhaps, by accident.

Just edit the plug-in - see your firewall's help files/support site's instructions to find out how to import/edit the Blockpost.

Once the IP is removed, you'll be able to visit the site as before.

What I most like - apart from the anti-spam/hack lists - is the anti-P2P lists.

For anyone downloading files through file-sharing programs, this is a God-send!

It's annoying to find that the MP3 file you're downloading contains - or IS! - a virus/trojan/malware/nasty. Some of these are done deliberately by ... nasty people. The Anti-P2P list is just the thing to help stop this happening.

Apart from BLM/Protowall, I have a number of other security-related applications for spyware/trojans/malware along with my AV software.

If there are any other suggestions wanted/needed, let me know.

Kindest regards,

James
All times are GMT
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits