Security Basics mailing list archives

RE: Need your help!!!

From: "Virgil Cui" <vcui () bluecatnetworks com>
Date: Tue, 23 Sep 2003 16:03:59 -0400

It's a good idea to set which computers to allow relay through your SMTP virtual server. You can find it at Default 
SMTP Virtual Server properties->Access->Relay.

Good luck,

Virgil

-----Original Message-----
From: chang zhu [mailto:cyz2000 () yahoo com]
Sent: Tuesday, September 23, 2003 2:17 PM
To: Tenorio, Leandro
Cc: security-basics () securityfocus com
Subject: RE: Need your help!!!


Thanks for all your help.

What I found out that the people connect to our server
to send spam out are originated from 211.158.0.0/16.

I block them on PIX and is any other way I can
approach?

Thanks,

Chang


--- "Tenorio, Leandro" <ltenorio () intelaction com>
wrote:

You can try two diferents approachs, either or both,
depends on your
configuration

- enable smtp authentication on your SMTP virtual
server, the users and
spammers will not be able to send emails unless they
athenticate using a
valid AD account.

- Block the Ips on the Pix, the approach to this
depends on your Pix
Version, if they use different Ips, u will need to
block the entire net.

Also see the attached mail posted on Incidents....




-----Original Message-----
From: chang zhu [mailto:cyz2000 () yahoo com] 
Sent: Saturday, September 20, 2003 12:20 PM
To: security-basics () securityfocus com
Subject: Need your help!!!

Hi, all

Some people connect to my exchange 2000 server every
day and sent all
spams out.  When I go to current sessions under SMTP
protols and default
SMTP virtual server from exchange system manager, I
can see these
people's connections and IP address (no domain name
shown up and only
fake name and IP shows).  I do not know how to block
them.  This is
exchange 2000 server with SP3 and behind PIX
firewall.  We only open
port 25, 443 and 80 for this exch 2k server on PIX.
MX reocrd points to
this server. If I use NMAP to scan this box
internally, here are ports
open:

25/tcp     open        smtp                    
80/tcp     open        http                    
110/tcp    open        pop-3                   
119/tcp    open        nntp                    
135/tcp    open        loc-srv                 
139/tcp    open        netbios-ssn             
143/tcp    open        imap2                   
443/tcp    open        https                   
445/tcp    open        microsoft-ds            
563/tcp    open        snews                   
593/tcp    open        http-rpc-epmap          
691/tcp    open        resvc                   
993/tcp    open        imaps                   
995/tcp    open        pop3s                   
3372/tcp   open        msdtc                   
3389/tcp   open        ms-term-serv            
6000/tcp   open        X11                     
6001/tcp   open        X11:1    
6003/tcp   open        X11:3                   
6005/tcp   open        X11:5                   
7001/tcp   open        afs3-callback           
8081/tcp   open        blackice-icecap 

x11?

When I do netstat -na, the followings shown on the
part of result;

TCP    127.0.0.1:25           127.0.0.1:54441       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54898       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54904       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54914       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54916       
TIME_WAIT
TCP    127.0.0.1:25           127.0.0.1:54988       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54433       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54434       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54442       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54443       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54444       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54445       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54446       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54454       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54890       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54893       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54903       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54911       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54913       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54915       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54917       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54918       
TIME_WAIT
TCP    127.0.0.2:25           127.0.0.2:54919       
TIME_WAIT
TCP    127.0.0.100:25         127.0.0.100:54905     
TIME_WAIT
TCP    127.0.0.100:25         127.0.0.100:54912     
TIME_WAIT
TCP    127.0.1.50:25          127.0.1.50:54456      
TIME_WAIT

THis server is not an open relay server and how
spammers can connect
this server to send all spams out from different
domain address?

Due to limited experience, I am not able to tackle
it down.  Many
anti-spam company put our sever on their lists.  I
ask them to send me
report that indicated all spams truly went out
through my server from
mail header info.

I need to resolve this ASAP and any suggestion or
solutions will be
greatly appreciated.


Thanks for all your attention and help,

Chang


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site
design software
http://sitebuilder.yahoo.com

------------------------------------------------------------------------

---

------------------------------------------------------------------------

----

ATTACHMENT part 2 message/rfc822 
Subject: RE: NDRs from spamming
Date: Fri, 19 Sep 2003 13:42:36 -0300
From: "Tenorio, Leandro" <ltenorio () intelaction com>
To: <incidents () securityfocus com>

      Thanks Romulo for your summary, a very good
practice.
I want to add a note, if you can block the Subnets
at routing level instead of firewall level, will
keep your firewall log files more clean, or at least
check firewall logs for other suspicius activity.
It´s common to hide an attack with a lot of "noise".

-----Original Message-----
From: Romulo M. Cholewa [mailto:rmc () rmc eti br] 
Sent: Friday, September 19, 2003 7:37 AM
To: incidents () securityfocus com
Subject: RES: NDRs from spamming

Hi All (again),

I would like to thank you for all the replies I
received. I would like to write down a summary of
what I've found so far about this issue:

 Identification
As you all mentioned, this kind of "behaviour" is a
well-known procedure called "joe-jobbing", and it
appears to be a common spammer attack (if they don't
like you maybe you get such a gift), and a way to
relay spam (sort of). I really don't know what
triggered the attack, as it seems to be a targeted
one. Maybe I have a close "friend' that is a big
spammer, go figure.

http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm

 Side Effects
There are some strange and unfortunate results:

1. spam blocking
Since you will start sending out lots of NDRs to
domains out there, you may get blocked by
misconfigured anti-spam tools. They might be
triggered by the amount of email you are sending
them, or just because your email server use to
attach the original message (so message content
scanning anti-spam tools might be triggered as
well). Also, instead of analyzing the headers to
find out the originating smtp server, some anti-spam
tools might be configured to block looking for the
MX of the @domain.com in the from: field (bad). This
is generally worse when someone "smart enough"
submit your IP to a well-known blackhole list (even
"smarter" if they block you based on NDRs). You will
probably sort things out, but it will take some
time.

2. bandwidth
By default, your mail server will issue a NDR for
each NDR it receives, since the mailbox from: names
are random. This will probably double the amount of
traffic. IF you are short on bandwidth or server
power, it might be an issue, since these attacks
usually generate 10000 NDR mails a day per domain -
double that if you have NDRs enabled - multiply by n
domains if you are an ISP or host mail servers.

 What can be done
There are some things you might do to easy the pain.
It probably won't solve the problem, but might get
the side effects under a manageable threshold.

1. temporarily disable NDRs
This would cut in half the amount of traffic and
server load generaded by the NDRs you receive.

2. track down and block offending SMTP servers
Received lots of messages about this, and it appears
to be an effective counter-measure. Blocking IP
subnets like 218.70.0.0/255.255.0.0
211.158.32.0/255.255.248.0
211.158.80.0/255.255.248.0 211.170.0.0 / 219.0.0.0 /
61.30.0.0 (Thanks Justin / Leandro) really reduced
the amount of NDRs received. DON'T forget to block
secondary, terciary, etc., smtp servers, or the NDRs
might simply be delivered to them anyway.

Thanks again.

Regards,

Romulo M. Cholewa
Home : http://www.rmc.eti.br
PGP Keys Available @ website.

Hi there,

I've noticed some increasing activity in our
postmaster account since 2 weeks ago. We are
receiving lots of NDRs from hundreds of non-existent
"pseudo" email addresses. I found out that spammers
are using our domain to fill up the from address
(like creating random mailbox/user names and
appending the @domain.com to the address).

In theory, this should not be a real concern, since
the worst case cenario would be receiving lots of
NDRs. But in fact, some strange things are
happening.

First, the amount of NDRs are compromising our
bandwidth (yes, the NDRs are in the thousands a day
already).

Second, some stupid (or badly configured) anti-spam
systems are blocking my mail server based on the
email address (easily forged). Before the question
is raised, no, our server is not accepting mails as
an open relay, so the messages are not being
originated here.

So, I would like to ask if this is a known issue. If
it is, are there any counter-measures that could be
taken ?

If it is not, I think it would be nice to issue an
advisory, or at least a best-practice about
configuring anti-spam tools, to NOT blackhole other
mail servers based solely on from address fields,
that can be easily forged.

Any info on this matter would be greatly
appreciated.

---------------------------------------------------------------------------

Attend Black Hat Briefings & Training Federal,
September 29-30 (Training), October 1-2 (Briefings)
in Tysons Corner, VA; the world's premier technical
IT security event.  Modeled after the famous Black
Hat event in Las Vegas! 6 tracks, 12 training
sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird
registration ends September 6.Visit us:
www.blackhat.com

----------------------------------------------------------------------------

---------------------------------------------------------------------------

----------------------------------------------------------------------------



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
  - RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
  - RE: Need your help!!! Dade McHugh (Sep 23)
    - RE: Need your help!!! chang zhu (Sep 23)
  - RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
  - RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)