Misuse of my domain.

Rick Cooper rcooper at DIMENSION-FLM.COM
Sun Nov 9 20:01:02 GMT 2003 

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Erik Jakobsen
> Sent: Sunday, November 09, 2003 2:18 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Misuse of my domain.
>
>
> > I use exim so I am not really qualified to explain how postfix blocks at
> > RCPT time, but I know there is a webmin module for postfix and
> I am willing
> > to bet that would simplify administration. There is a tutorial
> for postfix
> > admin via webmin at http://www.swelltech.com/support/webminguide/
>
> I do have webmin running on the server, and can see postfix there.
>
> > Or you can look at postfix config examples at
> > http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt
> > http://www.bagley.org/~doug/spam/postfix.shtml
> >
> > In my opinion sender verification and requiring local users to
> authenticate
> > before sending mail is basic setup 101. Especially the local user
> > authentication.
>
> Well I am not sure what you write here.

It's possible to configure you MTA to make validations tests against the
sender of a message. Simple validation is checking if a sender that is
suppose to be local actually exists as a valid local user. For instance when
postfix receives an email from john at mydomain it will check john against the
valid local mail users and see if john is actually a valid local mail user.
If not postfix will reject the incoming mail. Or, if postfix supports
callout verification (I think it does) when it receives a mail from
me at some.com it makes an outbound connection to the mx for some.com and
basically does a bounce mail with no data. If the mail server returns, say
550 invalid user, postfix will reject the mail from me at some.com. This is
basic receipt security

User authentication means your MTA requires a username and password before
it will allow mail to be sent through it. This is basic send security.

In your case the mail from bogus john at yourdomain would fail both, it
actually wouldn't make it through the authentication phase.

In my case I test during SMTP, HELO, RCPT, DATA. The calling host must pass
tests such as do they have a valid DNS A record or MX record, Does the helo
name resolve to a valid PTR and or A record, are they HELOing as me or one
of my domain's hosts or my IP, various RCPT tests including rbl (various
real-time spam checks), if they are supposedly local have they
authenticated, once they have sent the actual message and before that
message is accepted it is checked for viruses (and disallowed file
extentions), if a virus is found (Exim/Exiscan-acl) the entire session is
rejected and that host is blocked from mail access at the firewall level for
1 week... much more in detail. All of this means MailScanner has little to
do except check for the less obvious spam, and more involved filename/type
checks and it does that very, very well.

>
> > To do a good test of the relay control in your current
> configuration log in
> > to the mail server console and : telnet relay-test.mail-abuse.org
> > they will then run through a bunch of relay hacks against your MTA and
> > report to you, via the telnet session, the results of each
> test. If you fail
> > even one you need to resolve the problem ASAP as it would mean you are
> > definatly an open relay (and thus a real problem)
>
> Here's the test:
>
> [root at gateway /]# telnet relay-test.mail-abuse.org
> Trying 168.61.4.13...
> Connected to relay-test.mail-abuse.org.
> Escape character is '^]'.
> /proj/maps/bin/in.relaytest: socket failed [Bad file descriptor]
> Connecting to 80.199.7.181 ...
> Connection closed by foreign host.
>
> The last IP is my fixed one.
>

It appears your mail server is not accepting connections on port 25. I
tested that my telneting to the same host and got the same thing, no
connection. I assume this means you do not actually accept mail on the host
listed as your primary or secondary (tried that too) mail server... or there
is currently a problem. The above test doesn't work for non standard SMTP
ports.

> I am a member of the Postfix list :-)
>
> --
> Med venlig hilsen - Best regards.
> Erik Jakobsen - eja at urbakken.dk.
> Licensed radioamateur with the callsign OZ4KK.
> SuSE Linux 8.2 Proff.
> Registered as user #319488 with the Linux Counter, http://counter.li.org.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list