Back to Community Threads
1
SPAM SMTP delivery ?
Question asked by Uwe Degenhardt - 5/12/2015 at 6:20 AM
Unanswered
I everybody, we have the following entries in our smtp.log
I am confused. No authentication message is coming. No real message delivery.
Is this the try to send SPAM-messages ?
 
 
14:53:16 [109.239.173.31][65653794] rsp: 220 smartmail.domain.de
14:53:16 [109.239.173.31][65653794] connected at 12.05.2015 14:53:16
14:53:16 [109.239.173.31][65653794] cmd: HELO localhost
14:53:16 [109.239.173.31][65653794] rsp: 250 smartmail.domain.de Hello [109.239.173.31]
14:53:16 [109.239.173.31][65653794] cmd: MAIL FROM: <info@kundendomain.de>
14:53:16 [109.239.173.31][65653794] rsp: 250 OK <info@kundendomain.de> Sender ok
14:53:16 [109.239.173.31][65653794] cmd: RCPT TO: <dieter@endkundendomain.de>
14:53:16 [109.239.173.31][65653794] rsp: 550 <dieter@endkundendomain.de> No such user here
14:53:16 [109.239.173.31][65653794] cmd: RSET
14:53:16 [109.239.173.31][65653794] rsp: 250 OK

10 Replies

Reply to Thread
0
Bruce Barnes Replied
5/12/2015 at 6:39 AM
Do you host websites on the same server?
 
Have you SMTP AUTHENTICATION BYPASSED 127.0.0.1 in SmarterMail?
 
Have you WHITELISTED 127.0.0.1 in SmarterMail?
 
I ask because the line, "14:53:16 [109.239.173.31][65653794] cmd: HELO localhost" makes it look like someone has compromised your server and is using an SMTP service to send through SmarterMail.
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Uwe Degenhardt Replied
5/12/2015 at 8:24 AM
Hi Bruce, thank you. No, I don't host other websites. But I run
IIS for the SM-Webmailer and Admin-Access.
I doublechecked SMTP-Bypass. 127.0.0.1 is not there.
Also I haven't whitelisted it. Strange.
I will scan the whole server with a virus scanner.
 
Could it be, that these are compromised eMail-Accounts
running through the SM-Webmailer ?
0
Joe Wolf Replied
5/12/2015 at 9:08 AM
Nothing to worry about. Someone just tried to send a message to a user that doesn't exist on your server.
Thanks, -Joe
0
Uwe Degenhardt Replied
5/12/2015 at 9:37 AM
Hi Joe, it tested this. It looks as if you are right. Although it should't say HELO localhost. So it might be a trojan running on localhost, or they try to SMTP the machine directly with a fake host.
0
Steve Reid Replied
5/12/2015 at 9:38 AM
That is what the sending server is calling itself.
0
Joe Wolf Replied
5/12/2015 at 10:01 AM
What Steve said is correct. That's just what the sending client/server sent. If you want to reproduce this just telnet to your SmarterMail server on Port 25 and issue "HELO localhost" and you'll duplicate what your log shows. HELO itself is obsolete (should be EHLO) but you can make it say anything you want. Your server responded correctly by just saying Hello and the IP Address. A lot of web forms often identify themselves in this way. This will trip the rDNS spam filter.
Thanks, -Joe
0
Uwe Degenhardt Replied
5/12/2015 at 10:03 AM
Hi Steve, thank you. For me it is different, or I didn't get what you are saying. If the remote client is accessing the server directly and doesn't have a host configured the client is named localhost (default windows). Usually it should say: HELO gateway.mydomain.de since kundendomain.de is behind the gateway.mydomain.de. So it might be, that the SPAMMER/attacker uses SM directly with a host-unconfigured client. Usually SPAMMER do this I think.
0
Uwe Degenhardt Replied
5/12/2015 at 10:19 AM
Hi Joe and Steve, thanks for clarifying this. :-)
0
Steve Reid Replied
5/12/2015 at 10:21 AM
If you are saying you have an incoming gateway and all legitimate email are logged with the gateway EHLO, then it seems someone found a way to send directly to your server. Either way the email was stopped so nothing compromised.
0
Uwe Degenhardt Replied
5/12/2015 at 10:47 AM
Hi Steve, yes. I think he/she got the customer-domain from somewhere. Then he/she made some DNS-lookup and got the IP from the endpoint eMail-server, which is smartermail. I was a bit worried, since lately I got a lot hacked eMail-Accounts. But the logging was quite different. But better to be worried than to do nothing. ;-)
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
Cannot Send Email MessagesSmarterMail > Troubleshooting
Find a Compromised AccountSmarterMail > Troubleshooting
Messages to Yahoo! Emails are Temporarily DeferredSmarterMail > Troubleshooting
Legal Holds and LitigationSmarterMail > Installation and Configuration