emails sent out from a server with no domain on
Question asked by Arvin - 4/30/2020 at 5:37 AM
Hi guys,

I want to share a problem that I am trying go solve on a new smartermail server I setup.
There are absolute no domains configured on the server at the moment. It's not an open relay and I saw that there were mail being sent out.
There are only a few email per day sent, which I assume they are not abusing hard for not getting noticed.

Can anyone help me to identify this sendings in the log files in order to reveal more about what is going on.
I need to find the reason and fix it.

Thanks in advance!

4 Replies

Reply to Thread
Sébastien Riccio Replied

You should enable detailed login for delivery and SMTP in Troubleshootings options of SmarterMail.

Then you should be able to see if there are any incoming SMTP connections in the SMTP log and outgoing SMTP connections in the delivery log.

I'm not sure without looking at these logs, but they could be bounces sent out by SmarterMail for random spamming attempts directed to your server IP.

Kind regards.
Sébastien Riccio System & Network Admin https://swisscenter.com
Arvin Replied
There are a lot of things in the logs. I am not able to figure out what is what. Do you mind having a look ?
I would appreciate that a lot..
Sébastien Riccio Replied
There are multiple interresting things in this log.

Most of the attemps are attempts to log in as SMTP users on the domaine utopia-cloud.com
Was the IP of your server, already a mail server for this domain before you install smartermail ?

00:00:56.628 [][5609259] Authenticating as partenaires@utopia-cloud.com
00:00:56.628 [][5609259] rsp: 334 UGFzc3dvcmQ6
00:00:57.370 [][5609259] Authentication failed - login failed LOGIN_FAILURE_DOMAIN_NOT_FOUND

All attempts are failing though because the domain is not configured on your server.

But it also looks like your server is accepting to relay mail to other domains without authentification, so it's or it was an open relay.

00:06:47.209 [][37350199] rsp: 220 backupMX.utopia-cloud.com
00:06:47.209 [][37350199] connected at 4/30/2020 12:06:47 AM
00:06:47.209 [][37350199] Country code: TR
00:06:47.370 [][37350199] cmd: EHLO gluepush.icu
00:06:47.373 [][37350199] rsp: 250-mail2.utopia-cloud.com Hello []250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
00:06:47.555 [][37350199] cmd: MAIL FROM:<norm@gluepush.icu> BODY=8BITMIME RET=HDRS
00:06:47.558 [][37350199] senderEmail(1): norm@gluepush.icu parsed using: <norm@gluepush.icu>
00:06:47.563 [][37350199] rsp: 250 OK <norm@gluepush.icu> Sender ok
00:06:47.563 [][37350199] Sender accepted. Weight: 0.
00:07:02.458 [][37350199] cmd: RCPT TO:<efrancisco@globaltextile.com.tr>
00:07:02.665 [][37350199] rsp: 250 OK <efrancisco@globaltextile.com.tr> Recipient ok
00:07:13.241 [][37350199] cmd: DATA
00:07:13.241 [][37350199] rsp: 451 Greylisted, please try again in 240 seconds
00:07:13.241 [][37350199] disconnected at 4/30/2020 12:07:13 AM

However it seems you fixed it in the meantime:

Trying 3.x.62.x...
Connected to mail2.utopia-cloud.com.
Escape character is '^]'.
220 backupMX.utopia-cloud.com
EHLO test
250-mail2.utopia-cloud.com Hello []
250-SIZE 52428800
250 OK
MAIL FROM: <anyone@anywhere.com>
250 OK <anyone@anywhere.com> Sender ok
RCPT TO: <somebody@nowhere.com>
550 <somebody@nowhere.com> No such user here

EDIT: It seems it accepts mail to globaltextile.com.tr domain so I guess it is configured on your server ?

If you changed some configuration options in the meantime and the server is fresh, I would suggest to start with fresh clear logs to see if there are still issues coming after your change.

The delivery log is also important for understanding the mail flow.

What comes in for SMTP is in SMTP log, then what goes to local mailboxes or relayed to external servers with SMTP are in the delivery logs.

Sébastien Riccio System & Network Admin https://swisscenter.com
Arvin Replied
Thank you for the help Sébastien. What you described will definitely let me understand whats going on better.
I'll try the fresh logs and see what happens.
Thanks once again...

Reply to Thread