SPAM SMTP delivery ?
Question asked by Uwe Degenhardt - 5/12/2015 at 6:20 AM
Unanswered
I everybody, we have the following entries in our smtp.log
I am confused. No authentication message is coming. No real message delivery.
Is this the try to send SPAM-messages ?
 
 
14:53:16 [109.239.173.31][65653794] rsp: 220 smartmail.domain.de
14:53:16 [109.239.173.31][65653794] connected at 12.05.2015 14:53:16
14:53:16 [109.239.173.31][65653794] cmd: HELO localhost
14:53:16 [109.239.173.31][65653794] rsp: 250 smartmail.domain.de Hello [109.239.173.31]
14:53:16 [109.239.173.31][65653794] cmd: MAIL FROM: <info@kundendomain.de>
14:53:16 [109.239.173.31][65653794] rsp: 250 OK <info@kundendomain.de> Sender ok
14:53:16 [109.239.173.31][65653794] cmd: RCPT TO: <dieter@endkundendomain.de>
14:53:16 [109.239.173.31][65653794] rsp: 550 <dieter@endkundendomain.de> No such user here
14:53:16 [109.239.173.31][65653794] cmd: RSET
14:53:16 [109.239.173.31][65653794] rsp: 250 OK

10 Replies

Reply to Thread
0
Bruce Barnes Replied
Do you host websites on the same server?
 
Have you SMTP AUTHENTICATION BYPASSED 127.0.0.1 in SmarterMail?
 
Have you WHITELISTED 127.0.0.1 in SmarterMail?
 
I ask because the line, "14:53:16 [109.239.173.31][65653794] cmd: HELO localhost" makes it look like someone has compromised your server and is using an SMTP service to send through SmarterMail.
 
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Uwe Degenhardt Replied
Hi Bruce, thank you. No, I don't host other websites. But I run
IIS for the SM-Webmailer and Admin-Access.
I doublechecked SMTP-Bypass. 127.0.0.1 is not there.
Also I haven't whitelisted it. Strange.
I will scan the whole server with a virus scanner.
 
Could it be, that these are compromised eMail-Accounts
running through the SM-Webmailer ?
0
Joe Wolf Replied
Nothing to worry about. Someone just tried to send a message to a user that doesn't exist on your server.
Thanks,
-Joe
0
Uwe Degenhardt Replied
Hi Joe, it tested this. It looks as if you are right. Although it should't say HELO localhost. So it might be a trojan running on localhost, or they try to SMTP the machine directly with a fake host.
0
Steve Reid Replied
That is what the sending server is calling itself.
0
Joe Wolf Replied
What Steve said is correct. That's just what the sending client/server sent. If you want to reproduce this just telnet to your SmarterMail server on Port 25 and issue "HELO localhost" and you'll duplicate what your log shows. HELO itself is obsolete (should be EHLO) but you can make it say anything you want. Your server responded correctly by just saying Hello and the IP Address. A lot of web forms often identify themselves in this way. This will trip the rDNS spam filter.
Thanks,
-Joe
0
Uwe Degenhardt Replied
Hi Steve, thank you. For me it is different, or I didn't get what you are saying. If the remote client is accessing the server directly and doesn't have a host configured the client is named localhost (default windows). Usually it should say: HELO gateway.mydomain.de since kundendomain.de is behind the gateway.mydomain.de. So it might be, that the SPAMMER/attacker uses SM directly with a host-unconfigured client. Usually SPAMMER do this I think.
0
Uwe Degenhardt Replied
Hi Joe and Steve, thanks for clarifying this. :-)
0
Steve Reid Replied
If you are saying you have an incoming gateway and all legitimate email are logged with the gateway EHLO, then it seems someone found a way to send directly to your server. Either way the email was stopped so nothing compromised.
0
Uwe Degenhardt Replied
Hi Steve, yes. I think he/she got the customer-domain from somewhere. Then he/she made some DNS-lookup and got the IP from the endpoint eMail-server, which is smartermail. I was a bit worried, since lately I got a lot hacked eMail-Accounts. But the logging was quite different. But better to be worried than to do nothing. ;-)

Reply to Thread