Security Basics mailing list archives
RE: Need your help!!!
From: "Virgil Cui" <vcui () bluecatnetworks com>
Date: Tue, 23 Sep 2003 16:03:59 -0400
It's a good idea to set which computers to allow relay through your SMTP virtual server. You can find it at Default SMTP Virtual Server properties->Access->Relay. Good luck, Virgil -----Original Message----- From: chang zhu [mailto:cyz2000 () yahoo com] Sent: Tuesday, September 23, 2003 2:17 PM To: Tenorio, Leandro Cc: security-basics () securityfocus com Subject: RE: Need your help!!! Thanks for all your help. What I found out that the people connect to our server to send spam out are originated from 211.158.0.0/16. I block them on PIX and is any other way I can approach? Thanks, Chang --- "Tenorio, Leandro" <ltenorio () intelaction com> wrote:
You can try two diferents approachs, either or both, depends on your configuration - enable smtp authentication on your SMTP virtual server, the users and spammers will not be able to send emails unless they athenticate using a valid AD account. - Block the Ips on the Pix, the approach to this depends on your Pix Version, if they use different Ips, u will need to block the entire net. Also see the attached mail posted on Incidents.... -----Original Message----- From: chang zhu [mailto:cyz2000 () yahoo com] Sent: Saturday, September 20, 2003 12:20 PM To: security-basics () securityfocus com Subject: Need your help!!! Hi, all Some people connect to my exchange 2000 server every day and sent all spams out. When I go to current sessions under SMTP protols and default SMTP virtual server from exchange system manager, I can see these people's connections and IP address (no domain name shown up and only fake name and IP shows). I do not know how to block them. This is exchange 2000 server with SP3 and behind PIX firewall. We only open port 25, 443 and 80 for this exch 2k server on PIX. MX reocrd points to this server. If I use NMAP to scan this box internally, here are ports open: 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 119/tcp open nntp 135/tcp open loc-srv 139/tcp open netbios-ssn 143/tcp open imap2 443/tcp open https 445/tcp open microsoft-ds 563/tcp open snews 593/tcp open http-rpc-epmap 691/tcp open resvc 993/tcp open imaps 995/tcp open pop3s 3372/tcp open msdtc 3389/tcp open ms-term-serv 6000/tcp open X11 6001/tcp open X11:1 6003/tcp open X11:3 6005/tcp open X11:5 7001/tcp open afs3-callback 8081/tcp open blackice-icecap x11? When I do netstat -na, the followings shown on the part of result; TCP 127.0.0.1:25 127.0.0.1:54441 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54898 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54904 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54914 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54916 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54988 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54433 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54434 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54442 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54443 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54444 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54445 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54446 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54454 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54890 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54893 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54903 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54911 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54913 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54915 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54917 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54918 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54919 TIME_WAIT TCP 127.0.0.100:25 127.0.0.100:54905 TIME_WAIT TCP 127.0.0.100:25 127.0.0.100:54912 TIME_WAIT TCP 127.0.1.50:25 127.0.1.50:54456 TIME_WAIT THis server is not an open relay server and how spammers can connect this server to send all spams out from different domain address? Due to limited experience, I am not able to tackle it down. Many anti-spam company put our sever on their lists. I ask them to send me report that indicated all spams truly went out through my server from mail header info. I need to resolve this ASAP and any suggestion or solutions will be greatly appreciated. Thanks for all your attention and help, Chang __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
ATTACHMENT part 2 message/rfc822 Subject: RE: NDRs from spamming Date: Fri, 19 Sep 2003 13:42:36 -0300 From: "Tenorio, Leandro" <ltenorio () intelaction com> To: <incidents () securityfocus com> Thanks Romulo for your summary, a very good practice. I want to add a note, if you can block the Subnets at routing level instead of firewall level, will keep your firewall log files more clean, or at least check firewall logs for other suspicius activity. It´s common to hide an attack with a lot of "noise". -----Original Message----- From: Romulo M. Cholewa [mailto:rmc () rmc eti br] Sent: Friday, September 19, 2003 7:37 AM To: incidents () securityfocus com Subject: RES: NDRs from spamming Hi All (again), I would like to thank you for all the replies I received. I would like to write down a summary of what I've found so far about this issue: Identification As you all mentioned, this kind of "behaviour" is a well-known procedure called "joe-jobbing", and it appears to be a common spammer attack (if they don't like you maybe you get such a gift), and a way to relay spam (sort of). I really don't know what triggered the attack, as it seems to be a targeted one. Maybe I have a close "friend' that is a big spammer, go figure. http://www.cmsconnect.com/Praetor/RNDR/prRNDR.htm Side Effects There are some strange and unfortunate results: 1. spam blocking Since you will start sending out lots of NDRs to domains out there, you may get blocked by misconfigured anti-spam tools. They might be triggered by the amount of email you are sending them, or just because your email server use to attach the original message (so message content scanning anti-spam tools might be triggered as well). Also, instead of analyzing the headers to find out the originating smtp server, some anti-spam tools might be configured to block looking for the MX of the @domain.com in the from: field (bad). This is generally worse when someone "smart enough" submit your IP to a well-known blackhole list (even "smarter" if they block you based on NDRs). You will probably sort things out, but it will take some time. 2. bandwidth By default, your mail server will issue a NDR for each NDR it receives, since the mailbox from: names are random. This will probably double the amount of traffic. IF you are short on bandwidth or server power, it might be an issue, since these attacks usually generate 10000 NDR mails a day per domain - double that if you have NDRs enabled - multiply by n domains if you are an ISP or host mail servers. What can be done There are some things you might do to easy the pain. It probably won't solve the problem, but might get the side effects under a manageable threshold. 1. temporarily disable NDRs This would cut in half the amount of traffic and server load generaded by the NDRs you receive. 2. track down and block offending SMTP servers Received lots of messages about this, and it appears to be an effective counter-measure. Blocking IP subnets like 218.70.0.0/255.255.0.0 211.158.32.0/255.255.248.0 211.158.80.0/255.255.248.0 211.170.0.0 / 219.0.0.0 / 61.30.0.0 (Thanks Justin / Leandro) really reduced the amount of NDRs received. DON'T forget to block secondary, terciary, etc., smtp servers, or the NDRs might simply be delivered to them anyway. Thanks again. Regards, Romulo M. Cholewa Home : http://www.rmc.eti.br PGP Keys Available @ website. Hi there, I've noticed some increasing activity in our postmaster account since 2 weeks ago. We are receiving lots of NDRs from hundreds of non-existent "pseudo" email addresses. I found out that spammers are using our domain to fill up the from address (like creating random mailbox/user names and appending the @domain.com to the address). In theory, this should not be a real concern, since the worst case cenario would be receiving lots of NDRs. But in fact, some strange things are happening. First, the amount of NDRs are compromising our bandwidth (yes, the NDRs are in the thousands a day already). Second, some stupid (or badly configured) anti-spam systems are blocking my mail server based on the email address (easily forged). Before the question is raised, no, our server is not accepting mails as an open relay, so the messages are not being originated here. So, I would like to ask if this is a known issue. If it is, are there any counter-measures that could be taken ? If it is not, I think it would be nice to issue an advisory, or at least a best-practice about configuring anti-spam tools, to NOT blackhole other mail servers based solely on from address fields, that can be easily forged. Any info on this matter would be greatly appreciated.
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
- RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)
- Re: Need your help!!! Birl (Sep 22)