Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Do I have a security breach? (Weird sender or possible relay)
  •  
Gaby

Messages: 34
Karma: -2
Send a private message to this user
Checking the queue in Kerio Connect I noticed a weird thing: the sender showed <>.

Checking the debug file I noticed something that i suspect it may be an intent of relay using my mail server. Check out the following, particularily the first line

[04/May/2016 20:12:54][4444] {smtpc} Sending email to SMTP server mx01.mail.de, delivering mail from <>
[04/May/2016 20:12:55][4444] {smtpc} Connecting to 213.128.151.210 (mx01.mail.de) using local interface 0.0.0.0...
[04/May/2016 20:12:55][4444] {smtpc} Connected to mx01.mail.de
[04/May/2016 20:12:55][4444] {smtpc} Received greeting: 220 mx01.mail.de ESMTP eXpurgate 4.0.10
[04/May/2016 20:12:55][4444] {smtpc} Sending EHLO
[04/May/2016 20:12:56][4444] {smtpc} Switching connection to TLS
[04/May/2016 20:12:57][4444] {smtpc} Sending EHLO
[04/May/2016 20:12:57][4444] {smtpc} Sent MAIL command
[04/May/2016 20:12:57][4444] {smtpc} Got reply: 250 OK
[04/May/2016 20:12:57][4444] {smtpc} Sent RCPT TO: <SkinnerRosalinda51596<_at_>trash-email.de>
[04/May/2016 20:12:58][4444] {smtpc} Got reply: 250 OK
[04/May/2016 20:12:58][4444] {smtpc} Sent DATA command
[04/May/2016 20:12:58][4444] {smtpc} Got reply: 354 End data with <CR><LF>.<CR><LF>
[04/May/2016 20:12:58][4444] {smtpc} Sending message body...
[04/May/2016 20:12:58][4444] {smtpc} Data sent, got reply: 450 4.7.1 <SkinnerRosalinda51596<_at_>trash-email.de>: Relay access denied
[04/May/2016 20:12:58][4444] {smtpc} Data not accepted: 450 4.7.1 <SkinnerRosalinda51596<_at_>trash-email.de>: Relay access denied
[04/May/2016 20:12:59][4444] {smtpc} QUIT sent, got reply: 221 Bye
[04/May/2016 20:12:59][4444] {smtpc} Delivery to other mx servers was skipped.

I can't fully understand what is going on, but seems that someone called <> is trying to send a message through my server. Can it be?

Thanks in advance
  •  
Bud Durland

Messages: 356
Karma: 38
Send a private message to this user
Since the "from" is empty ("<>"), this is probably backscatter. Wiki link. The server will give up trying to deliver it after a certain period and will delete the message.

Had there been a real address in the from value, that might indicate a compromised user account.
Previous Topic: Whitelist IP no longer working
Next Topic: How to make sure that ALL local messages are on the server
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Jan 23 09:40:06 CET 2017

Total time taken to generate the page: 0.00787 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.