Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » HELP! SMTP server under attack! (SMTP server under attack!)
  •  
buck_jones

Messages: 23
Karma: 1
Send a private message to this user
Hi. I'm using Kerio Mailserver 6.7.1 build 7762 on a Mac 10.5.8.

Users started complaining that they were blocked from AOL and Yahoo. I checked the Mail Log and there are thousands of emails being sent to AOL and Yahoo addresses. About 200 a minute.

I have no idea what to do.

I have the SMTP server to allow relay only for users previously authenticated through POP 3 from the same IP address. Also allowing relay from an ip group - internal users 192.168.1.xxx
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
It may not be relaying as such, but a compromised user account. If it is: to find out which Kerio user is sending the mails, look in mail.log for delivery attempts to Yahoo or AOL. Mails generated by a user account on the server will have "User: localuser<_at_>example.com" at the end of the logged line. Like this:

Service: SMTP, From: <torw@example.com>, To: <remoteaccount@aol.com>, Size: 1686, Sender-Host: some.ip.add.ress, User: torw<_at_>example.com


With a little luck, you'll have both the IP address of the culprit and the compromised account. Block the IP (if you can) and change the password of the account in question.

[Updated on: Thu, 04 November 2010 00:13]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
On OS X 10.5, you can block an IP with this command in Terminal:

sudo ipfw add deny ip from some.ip.add.ress to servers.ip.add.ress
  •  
buck_jones

Messages: 23
Karma: 1
Send a private message to this user
Thanks!!

It was all coming from the same address. I found the offending address in the mail que. I made a rule to block that address and all is well.

We are now blocked by Yahoo, AOL and are in the SpamHaus SBL-XBL. Is there a non painful way to clear our name?
  •  
freakinvibe

Messages: 1529
Karma: 60
Send a private message to this user
Start off by clearing you out of the Spamhaus list. AOL and Yahoo might also use this list, so you might have solved everything in one go.

Go to the Spamhaus Bocklist Removal Center

http://www.spamhaus.org/lookup.lasso

Enter your Mail Server's IP address and you will get instructions on how to remove it from their lists.

For the future: Instruct your users not to use simple passwords like 12345. And monitor your mail queue regularly.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
jlagnese

Messages: 66

Karma: 0
Send a private message to this user
I've had the same issue and I will be damned if I can find who sent the emails using the method in this. I can see the list of hotmail recipients, but when I trace it back, I can't find the original sender.
Previous Topic: Italian language
Next Topic: Updating Sophos Anti-Virus
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 02:58:26 CEST 2017

Total time taken to generate the page: 0.00455 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.