Forums & Blog

Hi!

It seems that our mail sever send spam and we can't do anything to stop it!
Or can we?

The way this is working as I see it.

A foreign smtp server send a mail to a recipient on our mail server.
The mail server accept it.
When our mail server shall deliver the mail it has more recipients in it.
So it tries to send the mail to all the recipients.

Is it a bug in smarter mail?
How can we protect us from it?
Is it a new way to send spam?

Settings:
SMTP authentication is on of course.
Allow Relay: "only local users"
Disable relay settings when using SMTP authentication: "Checked"
Enable domain's SMTP auth setting for local deliveries: "Unchecked"
Disable AUTH LOGIN method for SMTP authentication: "Unchecked"
Version:
SmarterMail Enterprise 5.5.3362

Someone can perhaps explain this to me.
It's not a local delivery so it should not be possible right?
(I don´t now how it´s done, but here is the log.)

Smtp Log:

16:20:08 [65.55.111.77][58133469] rsp: 220 s05.axentus.se 
16:20:08 [65.55.111.77][58133469] connected at 2009-06-24 16:20:08
16:20:08 [65.55.111.77][58133469] cmd: EHLO blu0-omc2-s2.blu0.hotmail.com
16:20:08 [65.55.111.77][58133469] rsp: 250-s05.axentus.se Hello [65.55.111.77] 250-SIZE 104857600 250-AUTH LOGIN CRAM-MD5 250 OK
16:20:08 [65.55.111.77][58133469] cmd: MAIL FROM:<p-hickss0060@msn.com> SIZE=3679
16:20:42 [65.55.111.77][58133469] rsp: 250 OK <p-hickss0060@msn.com> Sender ok
16:20:42 [65.55.111.77][58133469] cmd: RCPT TO:<info@axentus.net>
16:20:42 [65.55.111.77][58133469] rsp: 250 OK <info@axentus.net> Recipient ok
16:20:43 [65.55.111.77][58133469] cmd: DATA
16:20:43 [65.55.111.77][58133469] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
16:20:43 [65.55.111.77][58133469] rsp: 250 OK
16:20:43 [65.55.111.77][58133469] Data transfer succeeded, writing mail to 631874957945.eml
16:20:43 [65.55.111.77][58133469] cmd: QUIT
16:20:43 [65.55.111.77][58133469] rsp: 221 Service closing transmission channel
16:20:43 [65.55.111.77][58133469] disconnected at 2009-06-24 16:20:43

Delivery log:
16:20:43 [57945] Delivery started for p-hickss0060@msn.com at 16:20:43
16:21:04 [57945] Starting local delivery to info@axentus.net
16:21:04 [57945] Delivery for p-hickss0060@msn.com to info@axentus.net has completed (Forwarded Deleted) Filter: None
16:21:04 [57945] End delivery to info@axentus.net
16:21:24 [57945] Sending remote mail for p-hickss0060@msn.com
16:22:21 [57945] Found no MX records for domain: corax.se
16:22:59 [57945] Found no A records for domain: corax.se
16:22:59 [57945] Connecting to 209.85.135.27
16:22:59 [57945] Connection to 209.85.135.27 succeeded
16:22:59 [57945] RSP: 220 mx.google.com ESMTP j2si5698539mue.12
16:22:59 [57945] CMD: EHLO s05.axentus.se
16:22:59 [57945] RSP: 250-mx.google.com at your service, [212.247.113.5]
16:22:59 [57945] RSP: 250-SIZE 35651584
16:22:59 [57945] RSP: 250-8BITMIME
16:22:59 [57945] RSP: 250-ENHANCEDSTATUSCODES
16:22:59 [57945] RSP: 250 PIPELINING
16:22:59 [57945] CMD: MAIL FROM:<p-hickss0060@msn.com> SIZE=3841
16:22:59 [57945] RSP: 250 2.1.0 OK j2si5698539mue.12
16:22:59 [57945] CMD: RCPT TO:<stig.svensson@gmail.com>
16:22:59 [57945] RSP: 250 2.1.5 OK j2si5698539mue.12
16:22:59 [57945] CMD: RCPT TO:<linda.andersson@gmail.com>
16:22:59 [57945] RSP: 250 2.1.5 OK j2si5698539mue.12
16:22:59 [57945] CMD: DATA
16:22:59 [57945] RSP: 354  Go ahead j2si5698539mue.12
16:22:59 [57945] RSP: 250 2.0.0 OK 1245853378 j2si5698539mue.12
16:22:59 [57945] CMD: QUIT
16:22:59 [57945] RSP: 221 2.0.0 closing connection j2si5698539mue.12
16:22:59 [57945] Connecting to 65.55.92.184
16:23:00 [57945] Connection to 65.55.92.184 succeeded
16:23:00 [57945] RSP: 220 snt0-mc4-f44.Snt0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states. Wed, 24 Jun 2009 07:22:58 -0700
16:23:00 [57945] CMD: EHLO s05.axentus.se
16:23:00 [57945] RSP: 250-snt0-mc4-f44.Snt0.hotmail.com (3.8.0.31) Hello [212.247.113.5]
16:23:00 [57945] RSP: 250-SIZE 29696000
16:23:00 [57945] RSP: 250-PIPELINING
16:23:00 [57945] RSP: 250-8bitmime
16:23:00 [57945] RSP: 250-BINARYMIME
16:23:00 [57945] RSP: 250-CHUNKING
16:23:00 [57945] RSP: 250-AUTH LOGIN
16:23:00 [57945] RSP: 250-AUTH=LOGIN
16:23:00 [57945] RSP: 250 OK
16:23:00 [57945] CMD: MAIL FROM:<p-hickss0060@msn.com> SIZE=3841
16:23:00 [57945] RSP: 250 p-hickss0060@msn.com....Sender OK
16:23:00 [57945] CMD: RCPT TO:<henke@hotmail.com>
16:23:00 [57945] RSP: 250 henke@hotmail.com
16:23:00 [57945] CMD: DATA
16:23:00 [57945] RSP: 354 Start mail input; end with <CRLF>.<CRLF>
16:23:01 [57945] RSP: 250 mail from IP 212.247.113.5 soft failed sender ID check. Please ensure this IP is authorized to send mail on behalf of [msn.com]
16:23:01 [57945] CMD: QUIT
16:23:01 [57945] RSP: 221 snt0-mc4-f44.Snt0.hotmail.com Service closing transmission channel
16:23:01 [57945] Connecting to 91.198.169.10
16:23:01 [57945] Connection to 91.198.169.10 succeeded
16:23:01 [57945] RSP: 220 mx-f.b-one.net ESMTP
16:23:01 [57945] CMD: EHLO s05.axentus.se
16:23:01 [57945] RSP: 250-mx-f.b-one.net
16:23:01 [57945] RSP: 250-PIPELINING
16:23:01 [57945] RSP: 250-SIZE 20480000
16:23:01 [57945] RSP: 250-ETRN
16:23:01 [57945] RSP: 250-ENHANCEDSTATUSCODES
16:23:01 [57945] RSP: 250-8BITMIME
16:23:01 [57945] RSP: 250 DSN
16:23:01 [57945] CMD: MAIL FROM:<p-hickss0060@msn.com> SIZE=3841
16:23:01 [57945] RSP: 250 2.1.0 Ok
16:23:01 [57945] CMD: RCPT TO:<adam@mushin.se>
16:23:01 [57945] RSP: 250 2.1.5 Ok
16:23:01 [57945] CMD: DATA
16:23:01 [57945] RSP: 354 End data with <CR><LF>.<CR><LF>
16:23:01 [57945] RSP: 250 2.0.0 Ok: queued as 1348E2800209
16:23:01 [57945] CMD: QUIT
16:23:01 [57945] RSP: 221 2.0.0 Bye
16:23:01 [57945] Delivery for p-hickss0060@msn.com to stig.svensson@gmail.com has completed (Delivered)
16:23:01 [57945] Delivery for p-hickss0060@msn.com to linda.andersson@gmail.com has completed (Delivered)
16:23:01 [57945] Delivery for p-hickss0060@msn.com to henke@hotmail.com has completed (Delivered)
16:23:01 [57945] Delivery for p-hickss0060@msn.com to adam@mushin.se has completed (Delivered)

Please advice!

Thanks in advance

Mikaelf

Is it no one that thinks this is intresting?
Or have seen this type of thing before?

Is there no fix for this?

I'm not a SmarterMail expert as we are evaluating it for a few days and I didn't spent to much time in your log, but my 2 cents :

I'm not sure about other smtp/authentication settings we have, but I found that the "allow relay for local users only" setting allowed anyone trying to send with a local address, even without authentication, to send through our smtp.

So I set it to "Allow relay : nobody" and it solved the problem, only authenticated users were allowed to use our SMTP.

Are the other recipients in the CC field ? Isn't it a mail to an alias with external address ? (or a forward ?)

The problem is the <info@axentus.net> email address.

The inbound SMTP connection is accepting mail for that address. My guess is that it is a email alias, that it has these addresses assigned to it:

stig.svensson@gmail.com
linda.andersson@gmail.com
henke@hotmail.com
adam@mushin.se

So, here is what happens:

The mailserver connects to SM and sends an email to info@axentus.net. Since this is a valid email address, SM accepts the email. When SM goes to deliver the message, it finds that it is an email alias, and thus just delivers the message to the listed email addresses. In this case, they are remote addresses, none are local.

SmarterMail is doing exactly what it is supposed to, delivering the message to the intended email alias.

Keep in mind that Spam Filtering actions cannot be ran on this message, due to it not being delivered to a local mailbox. The message is just being redirected to the 4 addresses listed above.

Ellis:

I'm not a SmarterMail expert as we are evaluating it for a few days and I didn't spent to much time in your log, but my 2 cents :

I'm not sure about other smtp/authentication settings we have, but I found that the "allow relay for local users only" setting allowed anyone trying to send with a local address, even without authentication, to send through our smtp.

So I set it to "Allow relay : nobody" and it solved the problem, only authenticated users were allowed to use our SMTP.

Are the other recipients in the CC field ? Isn't it a mail to an alias with external address ? (or a forward ?)

 

We tried it before but it was not accepted from our users.
There are to many pages like "Tell a friend" that gona stop working if we do.
Ex. http://stupid.ca/tellafriend.asp

Strajk:

The problem is the <info@axentus.net> email address.

The inbound SMTP connection is accepting mail for that address. My guess is that it is a email alias, that it has these addresses assigned to it:

stig.svensson@gmail.com
linda.andersson@gmail.com
henke@hotmail.com
adam@mushin.se

So, here is what happens:

The mailserver connects to SM and sends an email to info@axentus.net. Since this is a valid email address, SM accepts the email. When SM goes to deliver the message, it finds that it is an email alias, and thus just delivers the message to the listed email addresses. In this case, they are remote addresses, none are local.

SmarterMail is doing exactly what it is supposed to, delivering the message to the intended email alias.

Keep in mind that Spam Filtering actions cannot be ran on this message, due to it not being delivered to a local mailbox. The message is just being redirected to the 4 addresses listed above.

Thanks for your comment.
You are right! The adress is an alias with more then one adress. (multiple addresses)
(I removed them from the log because I did not think they were importante.)

But this email addresses is not in the alias and that is the problem.

stig.svensson@gmail.com
linda.andersson@gmail.com
henke@hotmail.com
adam@mushin.se

So what can we do? As it is now, the spam emails like this comes thru our mail server to gmail, hotmail and yahoo.
And they don't like it, of course!

It hit me,
Perhaps the customer had forwarded there email accounts to these addresses.
What a bummer, it was of course so.

ok now we know how that the delivery of the mail is correct.
So how do we stop the spam mail from being delivered to ex yahoo or hotmail?

Hi,

What you described is NOT a specific SmarterMail bug but an effect of the alias-based forwarding and user-level forwarding.

In order to stop Spam you have to enable spam checks in Security > Antispam Administration. You should Enable Incoming SMTP Spam Blocking, it may also be useful to Enable Outgoing SMTP Spam Blocking.

In any case, enabling Incoming SMTP Spam Blocking will hopefully allow the incoming mail to be recognised as spam and be appropriately dealt with (e.g. deleted), thus no forwarding activity should need to ever happen.

Good luck!