2
Open Relay After Upgrade to 100.0.7153
Question asked by David O'Leary - 5/6/2020 at 2:18 PM
Answered
After upgrading from a late version of 16 to build 7153, it appears SmarterMail started being used as an Open Relay. I had previously shut this down in version 16 but then, after the upgrade, I noticed a massive increase in mail being sent and received. In looking into this, I had initially found their was a compromised Email account so I changed the password and disabled the account. But then there was still a ton of invalid traffic to .ru sites.

It then seemed like there was some kind of bounce loop occurring where both the sender and receiver were rejecting things back and forth. Clearing out the spool by deleting hundreds of emails seemed to help that but then it came back in a couple days.

Now, looking at my logs, I'm seeing lots of hits when I search for " Sending Remote mail" involving .ru domains. But I'm no longer finding the area in the admin interface where I can prevent this.

Sample of my logs:

[2020.05.06] 3 [83107] Delivery for ilyagol05mz@mail.ru to ilyagol05mz@mail.ru has completed (Bounced) [2020.05.06] 14:56:11.093 [83107] Removed from RemoteDeliveryQueue (1 queued or processing) [2020.05.06] 14:56:11.108 [83109] DSN email written to 2439183114 with status failed to leoniddu09k@mail.ru [2020.05.06] 14:56:11.108 [83109] Delivery for leoniddu09k@mail.ru to leoniddu09k@mail.ru has completed (Bounced) [2020.05.06] 14:56:11.108 [83109] Removed from RemoteDeliveryQueue (0 queued or processing) [2020.05.06] 14:56:14.077 [83113] Delivery started for ilyagol05mz@mail.ru (via bypass) at 2:56:14 PM [2020.05.06] 14:56:14.077 [83111] Delivery started for avdzhyan-78@bk.ru (via bypass) at 2:56:14 PM [2020.05.06] 14:56:14.077 [83112] Delivery started for nickfergass@mail.ru (via bypass) at 2:56:14 PM [2020.05.06] 14:56:14.077 [83114] Delivery started for leoniddu09k@mail.ru (via bypass) at 2:56:14 PM [2020.05.06] 14:56:14.077 [83106] Removing Spool message: Killed: True, Failed: False, Finished: True [2020.05.06] 14:56:14.077 [83106] Delivery finished for avdzhyan-78@bk.ru at 2:56:14 PM    [id:2439183106] [2020.05.06] 14:56:14.077 [83110] Added to SpamCheckQueue (0 queued; 1/30 processing) [2020.05.06] 14:56:14.077 [83110] [SpamCheckQueue] Begin Processing. [2020.05.06] 14:56:14.077 [83108] Removing Spool message: Killed: True, Failed: False, Finished: True [2020.05.06] 14:56:14.077 [83108] Delivery finished for nickfergass@mail.ru at 2:56:14 PM    [id:2439183108] [2020.05.06] 14:56:14.077 [83107] Removing Spool message: Killed: True, Failed: False, Finished: True [2020.05.06] 14:56:14.077 [83107] Delivery finished for ilyagol05mz@mail.ru at 2:56:14 PM    [id:2439183107] [2020.05.06] 14:56:14.093 [83109] Removing Spool message: Killed: True, Failed: False, Finished: True [2020.05.06] 14:56:14.093 [83109] Delivery finished for leoniddu09k@mail.ru at 2:56:14 PM    [id:2439183109] [2020.05.06] 14:56:15.093 [83110] Unable to run Clam virus checks: No connection could be made because the target machine actively refused it 127.0.0.1:3310 | error
Owner of Efficion Consulting

7 Replies

Reply to Thread
0
Employee Replied
Employee Post
You could create a SMTP block (System Admin > Settings > Security > SMTP Blocks) for *@mail.ru for incoming/outgoing messages to prevent this.
0
David O'Leary Replied
I did that 2 days ago for the offending domains. But, since it says blocked address / domain, I just used the domain (e.g. bk.ru). That still didn't prevent the 17,000 emails I saw today.
Owner of Efficion Consulting
0
David Fisher Replied
David,

  Is there a reason you are not running the latest release Build 7242 (Nov 1, 2019)?  Build 7236 (Oct 24, 2019) lists in the release notes : 

  • IMPORTANT: This build resolves a security vulnerability. It is recommended to update to this version or higher.
Not sure what the security vulnerability is, if it is something related to SMTP, that might be the issue.  You installed a couple versions behind the latest.  Just to rule that out.

Regards,
-dave
0
David O'Leary Replied
Well, because my subscription expired and what I'm seeing in terms of new features (except for that one) doesn't seem to justify the cost of renewing. But, I'm still seeing this issue and no one seems to have a helpful response. Very concerning.
Owner of Efficion Consulting
0
You must upgrade to the latest stable version. There's no concerning in it.
Gabriele Maoret - Head of SysAdmins at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
0
David O'Leary Replied
I've now upgraded to the latest version. I'm continuing to monitor to see if these rogue emails keep happening.
Owner of Efficion Consulting
0
David O'Leary Replied
Marked As Answer
The problem has not resurfaced after the upgrade to the current release version, 100.0.7242.24590 .
Owner of Efficion Consulting

Reply to Thread