Spammer using 550 Authentication on backup mail to send spam

Question asked by Cory Claflin - 8/18/2018 at 7:58 AM

Answered

Hello,

I am starting to get an increasing amount of Delivery Failure emails from our backup mail server to multiple address across multiple domains.

It is clearly spam emails being sent from a valid xxx@domain.com to the same xxx@domain.com through our backup mail server.

The person then received the Delivery Failure email, essentially getting a stripped down spam email.

I'm unsure how I stop this. I'm guessing I just am missing something simple.

I'm also unsure how so many valid emails are being sent spam this way, almost like the server is somehow publicly showing addresses. I doubt that is the deal, I am assuming they are getting the addresses the way they always would but choosing to attack this way since the spam block is getting most all spam quite well.

Any insight would be helpful. I'll paste an example below so you can see what I'm talking about 100%. I have renamed our domain names but want to confirm the email is a valid address on our domain. The example below is actually an alias so it isn't even a valid sending account.

Received: from adsl.viettel.vn (adsl.viettel.vn [115.76.190.40]) by mail2.backupserver.net with SMTP;
Sat, 18 Aug 2018 04:15:36 -0500
Message-ID: <26104B577E7D0C62540F133A39482610@84ND78XU>
From: <benchmark@validdomain.com>
To: <benchmark@validdomain.com>
Subject: Enjoy?
Date: 18 Aug 2018 21:55:40 +0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="cp-850"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5512
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

6 Replies

Reply to Thread

kevind Replied

8/18/2018 at 2:42 PM

Cory,

What version of SM are you running? Not sure if it's the exact problem you're experiencing, but a similar issue was fixed in 16. It is still broken in 15.

See: https://portal.smartertools.com/community/a89857/spam-from-the-own-user.aspx

Kevin

Cory Claflin Replied

8/20/2018 at 6:08 AM

I think you nailed it. Our main server has been upgraded to 16 but the backup mail server is still running 15.

I'll update it and see if it fixes the issues. Thanks!

Employee Replied

8/21/2018 at 2:30 PM

Employee Post Marked As Answer

Hi Cory,

As Kevin mentioned above, this is, unfortunately, a known issue in SmarterMail 15.x. However, it has been resolved in SmarterMail 16.3.6543:
Changed: SMTP and Delivery processes now utilize the From address in email headers if it is provided; provides better spoofing protection.

I'm afraid we aren't able to implement this change in SmarterMail 15.x as the foundation of the product doesn't support this change.

Cory Claflin Replied

8/24/2018 at 2:34 PM

Okay so I updated from 15X to the latest 16 I downloaded today.

Using Telnet I connected without authenticating to the backup server, sent an email from me to me.

I then received the Delivery Failure in my email telling me Authentication is required for relay.

Paul Blank Replied

8/24/2018 at 3:47 PM

One would think that in a currently supported version of SM, major security holes such as these would be patched, no matter the "foundation" issues at hand.

kevind Replied

8/24/2018 at 4:24 PM

Originally reported in early 2016 and had 14 votes.
https://portal.smartertools.com/community/a87739/vulnerability-local-domains-being-spoofed.aspx

Back to Community Threads

Please leave this box unchecked

6 Replies

Reply to Thread

Tags

Related Knowledge Base Articles