Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » spam from blocked IP (Trying to figure out how spam is getting through my access rules.)
  •  
rcohen

Messages: 18
Karma: 0
Send a private message to this user
I'm using a Barracuda spam firewall, in combination with Kerio's mail server 7.1.0. Kerio's SMTP is configured to only relay from trused server IPs on the LAN (Barracuda and our servers with automated e-mails), or from users authenticated through SMTP for outgoing mail. We have Kerio's spam filtering disabled.

We keep getting spams that show up in the log, like this:
[23/Aug/2010 20:46:07] Recv: Queue-ID: 4c73245d-000006ae, Service: SMTP, From: <shankaq57@rofax.com>, To: <everyone<_at_><_our_domain_.com>, Size: 14970, Sender-Host: 190.120.192.221, SSL: yes

Normally, SMTP goes through our Barracuda, via port 25, but the Barracuda info is missing from the headers of these spams, indicating that they managed to connect directly to Kerio (either through another port we forward, for users, or through our LAN).

Also, under advanced options, I enabled "log hostname for incoming connections". This is showing for e-mails that get sent from our users, but not for these spams.

Why is Kerio accepting connections from this spammer? In theory, this should only work from trusted servers IPs or authenticated users. The logs don't seem to indicate either, as far as I can tell.

I am unable to blacklist the sender's domain or IP address, because the just shift to something else the next day.

Here's the header info for one of these e-mails.

Return-Path: <fondestc<_at_>rfidjournal.com>
X-Envelope-To: everyone<_at_>_our_domain_.com
Received: from HXGETCB ([117.195.161.110]) by mail._our_domain_.com (using TLSv1/SSLv3 with cipher AES256-SHA (256 bits)) for everyone<_at_>_our_domain_.com; Thu, 26 Aug 2010 23:00:55 -0500
Received: from mail148.messagelabs.com (mail148.messagelabs.com [85.158.137.131]) by ALT1.ASPMX.L.GOOGLE.com with ESMTPS id e15nf1720306gyp.15.2010.08.25.70.09.38 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 27 Aug 2010 09:30:32 +0530
X-VirusChecked: Checked
X-Msg-Ref: server-7.tower-148.messagelabs.com!6663642789!54513251!4
X-StarScan-Version: 6.2.4; banners=-,-,-
X-Originating-IP: 117.195.161.110
Message-ID: <06247954.4112325793832.JavaMail.mec@dm1c82>
Date: Fri, 27 Aug 2010 09:30:32 +0530
From: "Vito Murillo" <fondestc<_at_>rfidjournal.com>
To: <everyone<_at_>_our_domain_.com>
Subject: You're invited to view my photos!
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------780137F8538F2BEC";
charset="Windows-1252"
X-Antivirus: avast! (VPS 100826-1, 08/26/2010), Outbound message
X-Antivirus-Status: Clean


Thanks,
Rob
  •  
Mousee

Messages: 8
Karma: 0
Send a private message to this user
I don't use Barracuda Network Spam Firewall, and in my opinion this is a question better directed at their company, but in regards to your logging issue - what exactly where you expecting to get out of enabling "Log hostnames for incoming connections"? All that does is use DNS (hostnames) in place of IP address when/where possible in *active* logs. For your purposes that's not very helpful as it doesn't tell Kerio to log something specific (ie. smtp connections). You need to do that under "Logs".

Have you tried using a public (or semi-private) blacklist like SORBS DNSBL? Assuming that's an option with Barracuda NSF that is. You might also try looking into greylisting. There's plenty of guides around the net on how to block such spammers.
  •  
rcohen

Messages: 18
Karma: 0
Send a private message to this user
My question isn't about the Barracuda. It is working fine. The problem is that Kerio is accepting SMTP connections when it shouldn't.

In theory, we have Kerio configured only to accept SMTP connections from trusted, internal IPs, or from authenticated users. In the case of this spam, the log doesn't seem to indicate that the e-mail came from either a trusted IP, or an authenticated user.

Thanks
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
I'm not sure if you understand the SMTP correctly. The SMTP server accepts connection from any client. It is (by RFC) obliged to accept emails for local email domain from anyone.
The SMTP Relay security setting does not block incoming connection. It just defines which clients can send emails OUTSIDE your local email domains (ie. relay to other servers).
If you want to block access from some IP addresses then you need to configure the SMTP Service or your firewall to allow access only from selected IP addresses.
  •  
rcohen

Messages: 18
Karma: 0
Send a private message to this user
I see.

For external spam filtering, it would be really useful to have an option to have SMTP only accept e-mails from authenticated users or trusted IPs, including e-mails to our local domain.

Here's our config:

On port 25, the firewall directs SMTP to our Barracuda, which filters and forwards e-mail to our Kerio.

On another port, the firewall directs SMTP directly to our Kerio. This is for authenticated users.

We have Kerio configured to only relay SMTP from the Barracuda's IP or from authenticated users.

So, it looks like a spammer has found our "private" SMTP port, and is using that to bypass our Barracuda, and spam us.

I suppose it would be possible to configure the firewall to route all e-mails through the Barracuda, for users outside the office. It would be nice to bypass the spam filtering for authenticated users, though, even if they are outside the office.
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
rcohen wrote on Sun, 29 August 2010 17:36

For external spam filtering, it would be really useful to have an option to have SMTP only accept e-mails from authenticated users or trusted IPs, including e-mails to our local domain.


If you open the manual for the product you'll find out that the option for IP address restriction is already there: http://manuals.kerio.com/connect/adminguide/en/sect-services params.html

And speaking of authenticated users - this is what the SMTP submission service (port 587) is for! The clients from the Internet using this port must be authenticated.

[Updated on: Sun, 29 August 2010 19:22]

  •  
rcohen

Messages: 18
Karma: 0
Send a private message to this user
Port 587 sounds like what I needed. Thanks!
Previous Topic: Outlook 2010 + KOC 7.02
Next Topic: Sophos and Excel Password Protected Files
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Oct 17 09:45:06 CEST 2017

Total time taken to generate the page: 0.00429 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.