Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam Attack
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
Howdy

i am having the following showing up numerous times per minute

[16/Jun/2009 15:10:58] SMTP Spam attack detected from 192.168.1.1, client closed connection before SMTP greeting

it is not someone on our private LAN.. and they appear to be accessing using a funky port number (currently :2979)

any thoughts on what i need to do to stop/ block it

also

i am running kerio on a standard OSX box... our ISP provides dns.. however.. when i run a check via dnstrouble.com i am getting the following errors:

"Unable to lookup the IP Address of your Mail Server. Please ensure you entered a valid Hostname, or check your DNS Configuration."

and

"Your Hostname is NOT present in your servers HELO Welcome Banner"

any thoughts on this would also be hugely useful

thanks in advance

yukioMishima
  •  
stewie

Messages: 106
Karma: 0
Send a private message to this user
First, Kerio doesn't listen on port 2979 so it should not respond to anything on that port.

Second, are you positive it's not coming from your LAN? You may want to do a netstat or tcpdump to verify both of these.

An easy thing to do is just turn off or disconnect the device at 192.168.1.1 (assuming it's a computer & not a router). What changes?

If the messages stop, you know it's that computer.

Also, the "closed before connection" message is interesting. What is the email client used on that computer?

As for DNS, open the Terminal & enter:

dig <_a.t_>yourISPsDNSServer yourDomainName MX

(BTW, that <_a.t_> is suppose to be an "at" sign.)

What is returned?
  •  
hbianchi

Messages: 121
Karma: 8
Send a private message to this user
It is almost impossible that this connection is not from inside your own network. If this were treu, you probably have a serious problem with your firewall configuration.

I agree with Stewie comment about this should be originated in your internal network and best diagnose you can do is to find 192.168.1.1 device and put it down for a while. If you confirm it was the origin you must begin looking for the software (if a PC or server) or the command (if a router) causing this.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
The port number (2979) is likely the remote IP's source port. Had it not accessed KMS on port 25, you wouldn't have seen it in the logs.

The hostname issue when you check the DNS setup could very well be your firewall. Cisco firewalls, for instance, is "famous" for interfering with the SMTP banner. It's impossible (I think) to configure KMS to NOT display the hostname in the SMTP banner. The other issue ("Unable to lookup the IP Address of your Mail Server") simply means you have no reverse name resolution for the server in DNS. The owner of the IP must fix that.

9 times out of 10 192.168.1.1 is a router, and something is using the router to access KMS on port 25. A compromised PC perhaps? Well behaved clients, which means all the legitimate ones (Apple mail, Outlook, Outlook Express etc.) does not give up even if you configure KMS to delay the SMTP banner for 30 seconds.
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
thanks everyone for your replies

on the "spam attack"... it would appear that someone had recently modified the allowable range in the smtp settings to exclude our router (on IP address 192.168.1.1)... and it was trying to send system logs but could not deliver due to the change... it was trying to send every 15 sec... hence the huge flood of log entries

i have modified the smtp settings... and all seems to be ok

on the DNS issue

i ran the command in terminal and came back with the following info (i have changed our actual domain name to *****.com):


; <<>> DiG 9.3.5-P2 <<>> <_a.t_>(ISP dns server IP) *****.com mx
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57181
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; QUESTION SECTION:
;*****.com. IN MX

;; ANSWER SECTION:
*****.com. 86400 IN MX 5 *****.com.

;; AUTHORITY SECTION:
*****.com. 86400 IN NS (ISPdns server address here is correct)
*****.com. 86400 IN NS (ISPdns server address here is correct)
*****.com. 86400 IN NS (ISPdns server address here is correct)

;; ADDITIONAL SECTION:
mail.*****.com. 86400 IN A (our public IP here is correct)
ns1.ISPaddress.com. 900 IN A (ISPdns server address here is correct)
ns2. ISPaddress.com. 900 IN A (ISPdns server address here is correct)
ns3. ISPaddress.com. 900 IN A (ISPdns server address here is correct)

;; Query time: 197 msec

does this look correct?

any help would be greatly appreciated

and

on the reverse name... is that something that our ISP needs to sort out.. if so.. what do i need to tell them to do specifically

thanks

yukioMishima
  •  
stewie

Messages: 106
Karma: 0
Send a private message to this user
Nice job figuring the first part out!

As for the DNS, in the part
Quote:

;; ANSWER SECTION:
*****.com. 86400 IN MX 5 *****.com.

you need to see if that host can be resolved & reached.

Let's assume *****.com is really mail.yukiomishima.com. Do a google search for "ping test" & find a web site that will try to ping mail.yukiomishima.com.

What happens? If it's able to resolve & ping mail.yukiomishima.com then you should be fine. But if not, then it's a DNS issue or a network/routing issue.

Let us know. Good luck.
  •  
yukiomishima

Messages: 185
Karma: -2
Send a private message to this user
stewie

thanks for the info

i pinged the server from multiple locations and they all connected ok

so

seems to be ok... but what is the deal then with the error messages i am getting when i run the tests on the server (as above)... &.. any thoughts why we are having issues getting mail thru to some addresses (i have checked our server address in all of the blacklists and we do not appear to be i any of them)

i have the server set to deliver directly rather than relaying thru our ISP

thanks again

yukioMishima
  •  
stewie

Messages: 106
Karma: 0
Send a private message to this user
Try the tests at that web site again & try it at some others as well. Bottom line,
1. if the authoritative DNS server returns the MX record to a host (like mail.yukiomishima.com)
2. and that host can be resolved (mail.yukiomishima.com = 208.69.36.231 or whatever)
3. reached (PING mail.yukiomishima.com (208.69.36.231): 56 data bytes 64 bytes from 208.69.36.231: icmp_seq=0 ttl=57 time=26.581 ms)
4. and it responds (220 mail.yukiomishima.com ESMTP ready)
...then it's a problem with the site doing the testing because you're setup properly.

As for some mail not getting through, the blacklist is good start. If you end up on a blacklist, hopefully the email reply or your SMTP log will tell you.

So it's hard to say as there's a variety of reasons for this. But what I'd do is open a telnet session to one of mail servers your having an issue with. Then go step-by-step through the SMTP process. (You can google "test smtp with telnet" if you need an example.) It's pretty easy to see where's the problem when you do this.

Good luck!
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
yukiomishima wrote on Wed, 17 June 2009 17:56

on the reverse name... is that something that our ISP needs to sort out.. if so.. what do i need to tell them to do specifically


The usual way we think of name resolution is: "what IP address does that hostname have?". This is known as forward resolution. Reverse resolution on the other hand, is asking "what hostname (if any) does this IP address correspond to?".

Check forward resolution: # dig example.com
Check reverse resolution: # host 208.77.188.166

The two answers should correspond, and lots and lots of mail servers do this check when a mail is received. If they don't match, the receiving MTA often does not bother with the mail at all.

Tell your ISP that you need reverse name resolution on IP address such-and-such, and supply them with the hostname you want. Not a domain, but a hostname.

Note: it's perfectly fine to use example.com and IP 208.77.188.166 instead of inventing or obfuscating domain names and IP addresses. IANA created this domain for use in these circumstances.
Previous Topic: Kerio Mailserver 6.7.0 Experiences
Next Topic: Error 4.5.3 Too many recipients
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Sep 19 17:04:12 CEST 2017

Total time taken to generate the page: 0.00536 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.