Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Server sending mass spam
  •  
jimbo_

Messages: 5
Karma: 0
Send a private message to this user
Hi,

We have a MS 2008 R2 Server running Kerio Connect 8.2.0 as our email server. We've recently moved to a FTTP dedicated internet connection and subsequently fitted a new Watchguard firewall.

We have external users which require external email access so have port 25 incoming on the firewall pointing to the email server as required. We are having to monitor the firewall and the email logs constantly as we're having SMTP attacks were the email server is mass sending out spam coming from certain IP addresses. We're then blocking these IP addresses in the firewall when we spot the problem. It's getting as much as 100,000 emails per week if we're missing it.

Kerio is setup so that it requires SMTP authentication to send email. The "active connections" tab does not show the IP addresses that are causing the issue but simply list our public IP address followed by a random port (IP:58403 for instance). Nor does it show the "User" so if it was related to a users password being cracked then I can't see who it is.

It's allowing mail to go out as anything<_at_>ourdomain.com. Which according to the settings, it shouldn't be allowed to do.

Any ideas what we're missing here?

Cheers, Jimbo
  •  
rickblackdog

Messages: 55
Karma: -1
Send a private message to this user
Do you have an open relay?
  •  
jimbo_

Messages: 5
Karma: 0
Send a private message to this user
Nope. Relay only allowed for our static IP addresses and users authenticated through SMTP for outgoing mail

James
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
jimbo_ wrote on Tue, 12 November 2013 12:59

The "active connections" tab does not show the IP addresses that are causing the issue but simply list our public IP address followed by a random port (IP:58403 for instance). Nor does it show the "User" so if it was related to a users password being cracked then I can't see who it is.


You should not use Network Address Translation when mapping a port from the Internet to your server.

Quote:
It's allowing mail to go out as anything<_at_>ourdomain.com. Which according to the settings, it shouldn't be allowed to do.

Are you sure these messages go out from your server? Or are they incoming ones?
  •  
jimbo_

Messages: 5
Karma: 0
Send a private message to this user
Quote:
You should not use Network Address Translation when mapping a port from the Internet to your server.


Ok what is your suggestion? Because we have 8 public IP addresses from our Router we need to use SNAT to point the correct port 25 traffic from the internet to our mail server.

Quote:
Are you sure these messages go out from your server? Or are they incoming ones?


Well yes it's coming from anything<_at_>ourdomain.com going out to random addresses worldwide. We've been put on Spamhaus list a couple of times so our email reputation is very low. If I look at the message headers they coming from a random IP address then being sent through our server. Like this:

Received: from 107.6.137.138 (our IP)
by mail.ourdomain.com (Kerio Connect 8.2.0);
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
So you do have an open relay because your public IP addresses are probably in the group that has relay allowed. And since your firewall replaces source IP address, anyone from the Internet can send spams through your server.
Do not use SNAT on the firewall. Only DNAT. If you need to map more addresses, use more internal IP addresses on the firewall and define different default routes on the server.
  •  
jimbo_

Messages: 5
Karma: 0
Send a private message to this user
Yes the main IP address is in that group. I see what you mean. I can't point port 25 traffic to the mail server without using SNAT though on the Watchguard
  •  
jimbo_

Messages: 5
Karma: 0
Send a private message to this user
Ah hold fire. I may have worked it out to forward it using SNAT but not to mask the IP address. Doing 2 tests from my gmail on my phone first the header showed our IP in the Recieved: from, second test has gmail's IP address instead. Hopefully this solves the problem.

Thanks
Previous Topic: Outlook 2003 - public folders unavailable
Next Topic: configuring IM
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Oct 22 11:48:27 CEST 2017

Total time taken to generate the page: 0.00513 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.