IIS and SMTP - smtp log shows unauthorized activity

This is Interesting: Free IT Magazines  
Home > Archive > IIS and SMTP > May 2006 > smtp log shows unauthorized activity





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author smtp log shows unauthorized activity
deciacco

2006-04-27, 7:24 pm

I setup Windows 2003 server as a mail server with pop and smtp
services. Smtp is setup with anonymous access and integrated win auth.
Relay is set to Only list below (with an empty list) and allow all
computers which succ. auth to relay regardless of the list. I've set
my logging to hourly so i can better monitor the activity. I haven't
been using the server so I can see what happends. It hasn't happend
often but I have gotten a few log files with activity. So this leads me
to belive that the server is relaying even if not supposed to. Here is
what one log files looks like:

203.67.89.208 0 HELO - +<<myip>> 250 0 33 18 0
203.67.89.208 0 MAIL - +FROM:+<eiwueirw@msa.hinet.net> 250 0 47 35 0
203.67.89.208 0 RCPT - +TO:+<uu1553@so-net.net.tw> 550 0 52 31 0
203.67.89.208 0 QUIT - <<myip>> 240 1421 52 31 343

Trying to figure out what I can do to fix this.

Any suggestions?

PL

2006-04-29, 1:15 pm


Check "Allow only list below" and UNCHECK "Allow all computers which
successfully authenticate to relay regardless of the list".

PL.


"deciacco" <eugenio@iatmgu.com> skrev i meddelandet
news:1146181030.431030.51880@v46g2000cwv.googlegroups.com...
>I setup Windows 2003 server as a mail server with pop and smtp
> services. Smtp is setup with anonymous access and integrated win auth.
> Relay is set to Only list below (with an empty list) and allow all
> computers which succ. auth to relay regardless of the list. I've set
> my logging to hourly so i can better monitor the activity. I haven't
> been using the server so I can see what happends. It hasn't happend
> often but I have gotten a few log files with activity. So this leads me
> to belive that the server is relaying even if not supposed to. Here is
> what one log files looks like:
>
> 203.67.89.208 0 HELO - +<<myip>> 250 0 33 18 0
> 203.67.89.208 0 MAIL - +FROM:+<eiwueirw@msa.hinet.net> 250 0 47 35 0
> 203.67.89.208 0 RCPT - +TO:+<uu1553@so-net.net.tw> 550 0 52 31 0
> 203.67.89.208 0 QUIT - <<myip>> 240 1421 52 31 343
>
> Trying to figure out what I can do to fix this.
>
> Any suggestions?
>


Johan Karl Larsen

2006-04-30, 7:17 am

There is nothing to fix :-)

From the log entries it is clear that 203.67.89.208 did not manage to relay
because the RCPT command gave a 550 error in return. Also, there is no DATA
command present between RCPT and QUIT, hence, no mail was sent. Looks like
you got a visit from a compromised machine or 13-year-old script kiddie
looking for open relays.

Correct netiquette would be to (...yawn...):
1. Complain to owner of network 203.67.89.208
2. Tell postmaster of so-net.net.tw to close down account uu1553

If you lookup the ip at
http://openrbl.org/client/#203.67.89.208
you will see that he (or his ip range) has been listed in different
blackholes/lists whatever.

If you want to block listed ip's from sending mail to your server use a tool
like Open Relay Filter
http://martijnjongen.com/Default.aspx?tabid=27

--
Johan

"deciacco" <eugenio@iatmgu.com> wrote in message
news:1146181030.431030.51880@v46g2000cwv.googlegroups.com...
>I setup Windows 2003 server as a mail server with pop and smtp
> services. Smtp is setup with anonymous access and integrated win auth.
> Relay is set to Only list below (with an empty list) and allow all
> computers which succ. auth to relay regardless of the list. I've set
> my logging to hourly so i can better monitor the activity. I haven't
> been using the server so I can see what happends. It hasn't happend
> often but I have gotten a few log files with activity. So this leads me
> to belive that the server is relaying even if not supposed to. Here is
> what one log files looks like:
>
> 203.67.89.208 0 HELO - +<<myip>> 250 0 33 18 0
> 203.67.89.208 0 MAIL - +FROM:+<eiwueirw@msa.hinet.net> 250 0 47 35 0
> 203.67.89.208 0 RCPT - +TO:+<uu1553@so-net.net.tw> 550 0 52 31 0
> 203.67.89.208 0 QUIT - <<myip>> 240 1421 52 31 343
>
> Trying to figure out what I can do to fix this.
>
> Any suggestions?
>


Jeff Cochran

2006-05-01, 7:20 am

On 27 Apr 2006 16:37:10 -0700, "deciacco" <eugenio@iatmgu.com> wrote:

>I setup Windows 2003 server as a mail server with pop and smtp
>services. Smtp is setup with anonymous access and integrated win auth.
> Relay is set to Only list below (with an empty list) and allow all
>computers which succ. auth to relay regardless of the list. I've set
>my logging to hourly so i can better monitor the activity. I haven't
>been using the server so I can see what happends. It hasn't happend
>often but I have gotten a few log files with activity. So this leads me
>to belive that the server is relaying even if not supposed to. Here is
>what one log files looks like:
>
>203.67.89.208 0 HELO - +<<myip>> 250 0 33 18 0
>203.67.89.208 0 MAIL - +FROM:+<eiwueirw@msa.hinet.net> 250 0 47 35 0
>203.67.89.208 0 RCPT - +TO:+<uu1553@so-net.net.tw> 550 0 52 31 0
>203.67.89.208 0 QUIT - <<myip>> 240 1421 52 31 343
>
>Trying to figure out what I can do to fix this.
>
>Any suggestions?

Block all IP ranges assigned to the TW TLD. Assuming you have no
reason to expect legitimate mail from Taiwan.

Jeff
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com