over 6000 messages in my inbox. swiss cheese security on ME?

Discussions on webmail and the Professional version.
mail_hater

over 6000 messages in my inbox. swiss cheese security on ME?

Post by mail_hater » Thu Oct 21, 2004 3:39 pm

Hello.
I am extremely concerned user of ME pro. Last night I got over 6000 messages delivered to me from ME saying my mailbox was full. This is the second time it has happened.

While looking through my log files, I see many messages that appear to come from me (but not from my ip address, and of course I didn't send them)

I am curious why ME allows these hackers to relay through my server.

I have followed every KB article multiple times, yet mail sevrer CONSTANTLY ALLOWS people to abuse this mail server.

Here is what I am talking about and how come ME gets so slammed by hackers EVERY SINGLE DAY. DO I really have to ditch ME and get a REAL mail server like some esoteric UNIX server?

This is getting rediculous ... I mean 6000 inbox messages overnight?

in learnign how to ooperate a web server, I can say that admining a mail server is a nightmare. mail server gets attacked 24 * 7 and I have to spend at least an hour a day adding ip's to access control.

Does ME have a real PRO version that doesn't allow weak ass hackers to totally expoit this machine? or ?>??

do I need to change ISPs?
do I need to change the IP address of the server?
do I need to get a more secure mail server that actually has working security features?

specifically I have three problems:

I got over 6000 messages in my inbox saying my inbox was full. did ME carash and go into a loop? Why should ME sned 6000+ "mailbox full messages"?

Even though I have "server requires authentication" server is allowing hackers to send mail FROM my address to various addresses. This happends hundreds of times per day.

I constantly get weird messages back from ME saying it couldn't send a message to some spoofed recepient, even though I know none of my users actually sent the mail.

How can I make sure ME is secure (don't give the same damn links to the KB articles, which apparently do not work)(. Does ME plan to fix these problems or should I start shopping?


here are the log files to illustrate why I think ME is not secure and allows hackers to send spam:

legitimate: (ie me sending mail from my pc)
24.18.252.123 220 Whatttttt???? 0 0
10/20/04 11:48:56 SMTP-IN 700 24.18.252.123 EHLO EHLO Phreaked 250-websauce.net [24.18.252.123], this server offers 4 extensions 127 15
10/20/04 11:48:56 SMTP-IN 700 24.18.252.123 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 AUTH * 334 UGFzc3dvcmQ6 18 30
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 AUTH *== 235 Authenticated 19 14
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 Requested mail action okay, completed 43 36
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 RCPT RCPT TO: <deepthi[at]tnscinc.com> 250 Requested mail action okay, completed 43 32
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 RSET RSET 250 Requested mail action okay, completed 43 6
10/20/04 11:48:58 SMTP-IN 700 24.18.252.123 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 Requested mail action okay, completed 43 36
10/20/04 11:48:58 SMTP-IN 700 24.18.252.123 RCPT RCPT TO: <deepthi[at]tnscinc.com> 250 Requested mail action okay, completed 43 32
10/20/04 11:48:58 SMTP-IN 441A530E7D0C4939A3EDA9EC6527AE.MAI 700 24.18.252.123 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6

*************************************************************
hack attempts:
10/20/04 11:49:00 SMTP-IN 676 65.88.251.169 HELO HELO breezyhellos.com 250 Requested mail action okay, completed 43 23
10/20/04 11:49:00 SMTP-IN 441A530E7D0C4939A3EDA9EC6527AE.MAI 700 24.18.252.123 QUIT QUIT 221 Service closing transmission channel 42 6
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 CONN 220 ru20.servadmin.com ESMTP Sendmail 8.10.2-SOL3/8.10.2; Wed, 20 Oct 2004 10:46:20 -0500 0 91
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 EHLO EHLO websauce.net 250-ru20.servadmin.com Hello win457.nexpoint.net [128.121.4.57], pleased to meet you 19 217
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 MAIL MAIL FROM: <benjamin[at]websauce.net> SIZE=2054 250 2.1.0 <benjamin[at]websauce.net>... Sender ok 46 48
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 RCPT RCPT TO: <deepthi[at]tnscinc.com> 250 2.1.5 <deepthi[at]tnscinc.com>... Recipient ok 32 49
10/20/04 11:49:01 SMTP-IN 676 65.88.251.169 MAIL MAIL FROM:<igxzakthpmxhcveooi.fo[at]web.breezyhellos.com> 250 Requested mail action okay, completed 43 56
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 DATE 250 2.0.0 i9KFkKs30856 Message accepted for delivery 5 54
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI


another hack ....
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 CONN 220 Matrix Racer is here 0 26
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 EHLO EHLO websauce.net 250-bugs2k.com 19 86
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 MAIL MAIL FROM: <benjamin[at]websauce.net> SIZE=553 250 Ok 45 8
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 RCPT RCPT TO: <brinchmann[at]newxxxshows.com> 250 Ok 39 8
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 DATA DATA 354 End data with <CR><LF>.<CR><LF> 6 37
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 DATE 250 Ok: queued as 43CC81395A 5 30
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 QUIT QUIT 221 Bye 6 9

antother hack ...
209.61.134.116 CONN 220 mail.iatn.net ESMTP Lyris ListManager service ready 0 57
10/20/04 00:15:15 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 EHLO EHLO websauce.net 250-mail.iatn.net Hello websauce.net [128.121.4.57], pleased to meet you 19 88
10/20/04 00:15:15 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 <benjamin[at]websauce.net>... Sender ok 36 42
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 RCPT RCPT TO: <bounce-575823-551618[at]mail.iatn.net> 250 <bounce-575823-551618[at]mail.iatn.net>... Recipient ok, message is bounce mail 47 82
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 DATE 250 Errormail message accepted. 5 33
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 QUIT QUIT 221 mail.iatn.net closing connection 6 38

and another hack ....

209.61.134.116 CONN 220 mail.iatn.net ESMTP Lyris ListManager service ready 0 57
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 EHLO EHLO websauce.net 250-mail.iatn.net Hello websauce.net [128.121.4.57], pleased to meet you 19 88
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 <benjamin[at]websauce.net>... Sender ok 36 42
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 RCPT RCPT TO: <bounce-577406-551618[at]mail.iatn.net> 250 <bounce-577406-551618[at]mail.iatn.net>... Recipient ok, message is bounce mail 47 82
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATE 250 Errormail message accepted. 5 33
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 QUIT QUIT 221 mail.iatn.net closing connection 6 38
10/21/04 00:15:56 SMTP-IN AE85C79287E742AC9EB397D74158F7.MAI 752 64.49.217.133 QUIT QUIT 221 Service closing transmission channel

and yet another hack ...

SMP209.61.134.116 CONN 220 mail.iatn.net ESMTP Lyris ListManager service ready 0 57
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 EHLO EHLO websauce.net 250-mail.iatn.net Hello websauce.net [128.121.4.57], pleased to meet you 19 88
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 <benjamin[at]websauce.net>... Sender ok 36 42
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 RCPT RCPT TO: <bounce-577406-551618[at]mail.iatn.net> 250 <bounce-577406-551618[at]mail.iatn.net>... Recipient ok, message is bounce mail 47 82
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATE 250 Errormail message accepted. 5 33
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 QUIT QUIT 221 mail.iatn.net closing connection 6 38
10/21/04 00:15:56 SMTP-IN AE85C79287E742AC9EB397D74158F7.MAI 752 64.49.217.133 QUIT QUIT 221 Service closing transmission channe


(***********************************


So ... since I have:

allowed mail relay fro authenticated users ONLY, why is ME allowing non-authenticated users to relay with ME.

does anyone have a "how to hack ME" manual they want to share so I can see how to lock down this mail server.

Before ME, I RARELY got spam to my address. As soon as I set up ME, every single one of my clients gets crushed with SPAM EVERY SINGLE DAY.

PLease ME staff ...what more can I do besides follow the KB articles (whihc helped a little, but mail server is CONSTANTLY under attack)

Am I just f****? Is it par for course for buying a cheap mail server?

Why is ME allowing so many un-authorized attempts?

sometimes is makes me wonder if ME wan't written by spammers so they could mail servers to abuse across the planet.

ME works great except I might as well opted in on every porn site on the planet. Every day I add about 20 more ip addresses of poeple who get by ME security (ie they don't provide authentication credentials but ME allws them to send mail from MY address to any number of bogus addresses)

then I get around 50 "message could not be delivered" messages per day .. etc

I have run symantec security check on my machine and the server ....
reported to be virus free ....

What can I do to end this madness? (aside from changing mail servers)
Is there an advanced, how to protect ME from abuse?

I have:
enabled reverse DNS blacklisting (which unforutnately blocks a lot of legitiamte mail from stupid newbies who use AOL or earthlink)

checked SMTP authentication

Block IP address from Headers

use Alternate Welcome Message ...

I mean .. jesus ... all I want to do is have an email server that FORCES people to authenticate. and what use is a mail server that doesn't relay? How would you send mail to anyone outside the server?
Please advise on what I can do ...

I'm super frustrated, have followed the well written but not useful KB articles multiple times .. and still ... I have to use my shitty hotmail address cause it doesn't have 6345 messages in the inbox ....

what can I do if I need to be a total mail server facist?
How I can trace where the hackers are accessing my machine to send spam? any backdoors I need to close? and also, finally, how I can figure out who is sending me 6000+ messages causing my inbox to be full in less than 24 hours ...

Is there a 3rd party program that can prescreen connections to the mail server, and or is there a REAL professional version of ME available that I don't have spend an hour a day doing it's security for it ??

mail_hater

just for clarification ...

Post by mail_hater » Thu Oct 21, 2004 4:12 pm

I'm not ruling out that I am cofused about mail servers, how to secure them, or it's my fault ...

I'd just like to know how I can fix this mosat serious problem.

thanks for any help or suggestions ...

jorune
Posts: 174
Joined: Fri Jul 02, 2004 5:05 pm
Location: Chicago, IL

Re: over 6000 messages in my inbox. swiss cheese security on

Post by jorune » Thu Oct 21, 2004 4:21 pm

mail_hater wrote:Hello.
I am extremely concerned user of ME pro. Last night I got over 6000 messages delivered to me from ME saying my mailbox was full. This is the second time it has happened.
Not the first time I've seen a post like this. :D
While looking through my log files, I see many messages that appear to come from me (but not from my ip address, and of course I didn't send them)
Have you ever heard of a "joe job"? My first thought when reading that sentence was a "job job". I'm not saying that's what happened but you can read about it here: http://en.wikipedia.org/wiki/Joe_job
I am curious why ME allows these hackers to relay through my server.
MailEnable only does what you tell it to do. If you configure it to relay then that's what it will do. Don't blame the product for faulty administration.
I have followed every KB article multiple times, yet mail sevrer CONSTANTLY ALLOWS people to abuse this mail server.
Again, are you sure that's what is happening here?
Here is what I am talking about and how come ME gets so slammed by hackers EVERY SINGLE DAY.


I don't think MailEnable is singled out by hackers. Many mail servers on the market today are "attacked" and compromised due to weaknesses. MailEnable is no different. However, knowing how to administer your system and protect it from abuse is the first step.
DO I really have to ditch ME and get a REAL mail server like some esoteric UNIX server?
Probably not the best question to ask around here on the MailEnable Forum board. :D Ultimately that's up to you. But based on your hysterical post here, I would suspect you might have similar problems with your next "real" mail server.
This is getting rediculous ... I mean 6000 inbox messages overnight?
6000 bounced messages? I suspect you were victim of a "joe job" - but that's just my opinion. You'll have to determine that for yourself by checking the logs, verifying that you are getting bounced messages from various domains and making sure the IP responsible is not your own.
in learnign how to ooperate a web server, I can say that admining a mail server is a nightmare. mail server gets attacked 24 * 7 and I have to spend at least an hour a day adding ip's to access control.
Adding IP's to your access control manually is - in my opinion - the wrong approach. There is an Auto-Ban feature that allows MailEnable to ban "bad" mail servers that issue bad commands over and over again.
Does ME have a real PRO version that doesn't allow weak ass hackers to totally expoit this machine? or ?>??
MailEnable Standard (free), MailEnable Professional, and MailEnable Enterprise (not available for sale yet) are the versions currently available.
do I need to change ISPs?
Seems rather drastic to consider at this point. But always a possibility.
do I need to change the IP address of the server?
Doubtful.
do I need to get a more secure mail server that actually has working security features?
MailEnable comes with a plethora of security features. Reading the manual and understanding how they work and then applying them to your particular environment is the first step. This something you would do for any mail server on the market today.
I got over 6000 messages in my inbox saying my inbox was full. did ME carash and go into a loop? Why should ME sned 6000+ "mailbox full messages"?
The answer to that question is in your SMTP logs. Find out what caused this to happen by studying and understanding the logs. That's what they are there for.
Even though I have "server requires authentication" server is allowing hackers to send mail FROM my address to various addresses. This happends hundreds of times per day.
Spam organizations and spam gangs routinely forge FROM: addresses. This is call SPOOFING and there is little you can do about it - except protect your domain by added an SPF record. That isn't to say that somebody compromised your server, but I doubt it based on what you have posted thus far.
I constantly get weird messages back from ME saying it couldn't send a message to some spoofed recepient, even though I know none of my users actually sent the mail.
See the "joe job" information I posted above. It's likely you were the victim of this attack. But you'll have to make that determination on your own after you have studied the issue carefully.
How can I make sure ME is secure (don't give the same damn links to the KB articles, which apparently do not work)(. Does ME plan to fix these problems or should I start shopping?
I'm not entirely sure the problem is with MailEnable. No links for you, as you requested. :D

here are the log files to illustrate why I think ME is not secure and allows hackers to send spam:

legitimate: (ie me sending mail from my pc)
24.18.252.123 220 Whatttttt???? 0 0
10/20/04 11:48:56 SMTP-IN 700 24.18.252.123 EHLO EHLO Phreaked 250-websauce.net [24.18.252.123], this server offers 4 extensions 127 15
10/20/04 11:48:56 SMTP-IN 700 24.18.252.123 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 AUTH * 334 UGFzc3dvcmQ6 18 30
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 AUTH *== 235 Authenticated 19 14
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 Requested mail action okay, completed 43 36
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 RCPT RCPT TO: <deepthi[at]tnscinc.com> 250 Requested mail action okay, completed 43 32
10/20/04 11:48:57 SMTP-IN 700 24.18.252.123 RSET RSET 250 Requested mail action okay, completed 43 6
10/20/04 11:48:58 SMTP-IN 700 24.18.252.123 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 Requested mail action okay, completed 43 36
10/20/04 11:48:58 SMTP-IN 700 24.18.252.123 RCPT RCPT TO: <deepthi[at]tnscinc.com> 250 Requested mail action okay, completed 43 32
10/20/04 11:48:58 SMTP-IN 441A530E7D0C4939A3EDA9EC6527AE.MAI 700 24.18.252.123 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6

*************************************************************
hack attempts:
10/20/04 11:49:00 SMTP-IN 676 65.88.251.169 HELO HELO breezyhellos.com 250 Requested mail action okay, completed 43 23
10/20/04 11:49:00 SMTP-IN 441A530E7D0C4939A3EDA9EC6527AE.MAI 700 24.18.252.123 QUIT QUIT 221 Service closing transmission channel 42 6
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 CONN 220 ru20.servadmin.com ESMTP Sendmail 8.10.2-SOL3/8.10.2; Wed, 20 Oct 2004 10:46:20 -0500 0 91
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 EHLO EHLO websauce.net 250-ru20.servadmin.com Hello win457.nexpoint.net [128.121.4.57], pleased to meet you 19 217
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 MAIL MAIL FROM: <benjamin[at]websauce.net> SIZE=2054 250 2.1.0 <benjamin[at]websauce.net>... Sender ok 46 48
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 RCPT RCPT TO: <deepthi[at]tnscinc.com> 250 2.1.5 <deepthi[at]tnscinc.com>... Recipient ok 32 49
10/20/04 11:49:01 SMTP-IN 676 65.88.251.169 MAIL MAIL FROM:<igxzakthpmxhcveooi.fo[at]web.breezyhellos.com> 250 Requested mail action okay, completed 43 56
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI 728 12.158.190.120 DATE 250 2.0.0 i9KFkKs30856 Message accepted for delivery 5 54
10/20/04 11:49:01 SMTP-OU 295B187925834197B365509A66DE2A.MAI


another hack ....
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 CONN 220 Matrix Racer is here 0 26
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 EHLO EHLO websauce.net 250-bugs2k.com 19 86
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 MAIL MAIL FROM: <benjamin[at]websauce.net> SIZE=553 250 Ok 45 8
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 RCPT RCPT TO: <brinchmann[at]newxxxshows.com> 250 Ok 39 8
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 DATA DATA 354 End data with <CR><LF>.<CR><LF> 6 37
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 DATE 250 Ok: queued as 43CC81395A 5 30
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 QUIT QUIT 221 Bye 6 9

antother hack ...
209.61.134.116 CONN 220 mail.iatn.net ESMTP Lyris ListManager service ready 0 57
10/20/04 00:15:15 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 EHLO EHLO websauce.net 250-mail.iatn.net Hello websauce.net [128.121.4.57], pleased to meet you 19 88
10/20/04 00:15:15 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 <benjamin[at]websauce.net>... Sender ok 36 42
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 RCPT RCPT TO: <bounce-575823-551618[at]mail.iatn.net> 250 <bounce-575823-551618[at]mail.iatn.net>... Recipient ok, message is bounce mail 47 82
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 DATE 250 Errormail message accepted. 5 33
10/20/04 00:15:16 SMTP-OU 3DBD8F4E15847E0BF20575238BB0.MAI 708 209.61.134.116 QUIT QUIT 221 mail.iatn.net closing connection 6 38

and another hack ....

209.61.134.116 CONN 220 mail.iatn.net ESMTP Lyris ListManager service ready 0 57
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 EHLO EHLO websauce.net 250-mail.iatn.net Hello websauce.net [128.121.4.57], pleased to meet you 19 88
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 <benjamin[at]websauce.net>... Sender ok 36 42
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 RCPT RCPT TO: <bounce-577406-551618[at]mail.iatn.net> 250 <bounce-577406-551618[at]mail.iatn.net>... Recipient ok, message is bounce mail 47 82
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATE 250 Errormail message accepted. 5 33
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 QUIT QUIT 221 mail.iatn.net closing connection 6 38
10/21/04 00:15:56 SMTP-IN AE85C79287E742AC9EB397D74158F7.MAI 752 64.49.217.133 QUIT QUIT 221 Service closing transmission channel

and yet another hack ...

SMP209.61.134.116 CONN 220 mail.iatn.net ESMTP Lyris ListManager service ready 0 57
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 EHLO EHLO websauce.net 250-mail.iatn.net Hello websauce.net [128.121.4.57], pleased to meet you 19 88
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 <benjamin[at]websauce.net>... Sender ok 36 42
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 RCPT RCPT TO: <bounce-577406-551618[at]mail.iatn.net> 250 <bounce-577406-551618[at]mail.iatn.net>... Recipient ok, message is bounce mail 47 82
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATA DATA 354 Enter mail, end with "." on a line by itself 6 50
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 DATE 250 Errormail message accepted. 5 33
10/21/04 00:15:37 SMTP-OU 5BF190CF20447E998D0AA17456F5.MAI 496 209.61.134.116 QUIT QUIT 221 mail.iatn.net closing connection 6 38
10/21/04 00:15:56 SMTP-IN AE85C79287E742AC9EB397D74158F7.MAI 752 64.49.217.133 QUIT QUIT 221 Service closing transmission channe


(***********************************
I don't see any evidence that anyone was hacking your machine. Hacking usually implies someone is trying to compromise the machine by gaining access to an account or creating their own account. WhatI see above is standard SMTP traffic. Looks like your mail server was sending the "inbox is full" back to the bounced account that initially received a forged SPAM message. This forged spam message probably had your domain in the FROM: address.


So ... since I have:

allowed mail relay fro authenticated users ONLY, why is ME allowing non-authenticated users to relay with ME.
Do you have any privileged IP addresses defined? This would be the only way I would know that someone could relay without authenticating.
does anyone have a "how to hack ME" manual they want to share so I can see how to lock down this mail server.
:D LOL. Uh - I don't think so.
Before ME, I RARELY got spam to my address. As soon as I set up ME, every single one of my clients gets crushed with SPAM EVERY SINGLE DAY.
That's unfortunate. I'm certain that if you take some time to study the issue you'll find out the cause of the problem.
PLease ME staff ...what more can I do besides follow the KB articles (whihc helped a little, but mail server is CONSTANTLY under attack)
I'm not support staff, just a poster here on this forum board. If you require actual support, you have to go through the MailEnable official support system.
Am I just f****? Is it par for course for buying a cheap mail server?
MailEnable is a cheap solution to mail that offers a lot of functionality. I have over 80 domains and 500 email accounts and handle about 500 - 700 legitimate messages per day. So far I'm very happy with my choice to use MailEnable. And it's continuing to improve with each release version.
Why is ME allowing so many un-authorized attempts?
You keep asking this question and I urge you to verify that this is what is actually happening.
sometimes is makes me wonder if ME wan't written by spammers so they could mail servers to abuse across the planet.
This is a ridiculous comment.
ME works great except I might as well opted in on every porn site on the planet. Every day I add about 20 more ip addresses of poeple who get by ME security (ie they don't provide authentication credentials but ME allws them to send mail from MY address to any number of bogus addresses)
Adding IP's of what, exactly?
then I get around 50 "message could not be delivered" messages per day .. etc
Could not be delivered to where, though? Like I said above, maybe you are a victim of a "joe job" and your mail server was trying to send messages to an invalid mail server or account.
I have run symantec security check on my machine and the server ....
reported to be virus free ....
Great!
What can I do to end this madness? (aside from changing mail servers)
Is there an advanced, how to protect ME from abuse?
I hate to say this, but I would suspect you would have the same problems. But who knows, maybe changing mail servers is the best course of action for you.
I have:
enabled reverse DNS blacklisting (which unforutnately blocks a lot of legitiamte mail from stupid newbies who use AOL or earthlink)
Which blacklists are you using? Using Reverse DNS blacklisting isn't something you should just "Turn ON". Check which lists you want to use based on your environment. Some blacklists are designed to block entire ISP's (like AOL or rr.com) while others, use a more sound policy of blocking only spam and open relay servers.
checked SMTP authentication

Block IP address from Headers

use Alternate Welcome Message ...

I mean .. jesus ... all I want to do is have an email server that FORCES people to authenticate. and what use is a mail server that doesn't relay? How would you send mail to anyone outside the server?
Please advise on what I can do ...
The only way to send mail off your server is by allowing relay. Allowing relay in a secure manner is how most MailEnable systems are configured. Doing this by authentication and privileged IP's is the best and most secure way to handle relay.
I'm super frustrated, have followed the well written but not useful KB articles multiple times .. and still ... I have to use my shitty hotmail address cause it doesn't have 6345 messages in the inbox ....
It does sound like you are frustrated. But posting this rant on the forum board isn't going to get you what you need.
what can I do if I need to be a total mail server facist?
I don't understand what this means.
How I can trace where the hackers are accessing my machine to send spam? any backdoors I need to close? and also, finally, how I can figure out who is sending me 6000+ messages causing my inbox to be full in less than 24 hours ...
Logs. Learn to read and understand the logs. This is your only way to tracing and understanding the problem.
Is there a 3rd party program that can prescreen connections to the mail server, and or is there a REAL professional version of ME available that I don't have spend an hour a day doing it's security for it ??
Yes there are 3rd party programs. But I think you need to calm down first and address the issues you have at hand before applying more software to your mail server.

Good luck!

-Johnny

mail_hater

aggreed ..

Post by mail_hater » Thu Oct 21, 2004 4:53 pm

yeah . I am confused and frustrated. I agree that no program can make the admin understand how to use it. I did however RTFM abvout 10 times, review KB articles at least five times and still; problems continue. maybe the programmers should read the docs to see if the product actually does what it claims?

Most of my problems are probably coming from mis-configuration. I just find it odd, that a mails server would be SOOO tough to keep from abusing. I've spent weeks reading th eforums and KB articles .. only to always give up as no change of settings seems to help. I always get reffered to the KB articles, which I follow (incouding screenshots) ... and then I hit a dead end as their are no suggestions beyond KB articles of how to secure ME. At this point, it would have been cheaper to shell out the cash for a more industrial mail server. AND hire a technician to run it ... I spend far too much time tweeking ME, and just keep getting rocked with spam and unauthorized attempts.

I'm gonna take a break and cool it for a while ...
I'll read through your post very carefulyl ad see if I can find anything helpful.

anyways the 6000+ messages are STILL downloading ...

gonna go use my sh**tty hotmail account, cause at least I can always send and receive with that crappy program.

for the most part ME is awesome. never really crashes, well written KB articles.

it's just the thousands of spams and un-authorized relays every month that causes me concern.

I may end up contacting ME support directly and pay them to "configure" this correctly if they are interseted. 3 hours into my day .. and still trying to "secure" this mail server from abuse. I can't afford to sepnd half of my day every day figuring out why ME didn;t read it's own instructions.


again .. I'm not ruling out that:

A) I'm an idiot
B) I missed a hidden KB article and a secure server is only a check box away
C) I don;t really know much about mail servers (except for working with ME)


I'm just a web developer who USED to spend most of the time wriiting code, and now I spend FAR TOO MUCH time reading and re-reading ME KB articles to see why this server gets attacked DAILY.


I'll check back later to see if anyone has successfully solved this problem, (once I can define what the problem actually is, besides
ME allows un-authorized users to relay
and
I have 6000+ messages in inbox indicating mailbox is full
)


If there is anybody out there that thinks this is an elementary setting probelm and/or has fixed this before, let me know via email (if it works). Maybe we can work out a payment situation to fix this ...

I'm out of time and patience as this is at least the third forum post I've made, and after following suggestions from kind users ... still am in same situation.

mail_hater

re-read the KB's ... and chill ... yes.

Post by mail_hater » Thu Oct 21, 2004 5:07 pm

Johnny,
thanks for taking the time to read my psycho post. I'll do as you suggest and:

1) chill out
2) re-read the manual and KB articles
3) take another look at log files to see whats happening
(i've actually learned a bit about mail log files by having ME)

Like I said, not sure that a new mail server would fix this issue, but sure would like to know how to "secure" this mail server from abuse, aside from follwing the KB articles.

I'll put another post later with step by step, calmly written procedures on what I think my problem is and what steps according to KB articles I have taken (although I have done this multiple times before) to fix the problem.

Perhaps that will get me more help than just losing my cool on a forum.

thanks for taking the time to respond to my confused freaked out post.

I'll try to remain more calm in the future ...

it's just hard when you have 6357 messages in your inbox ....


ps.

my address is:
benjamin[at]websauce.net in case any one wants to contact me offline or just yell at me for being a frustrated dweeb.


many thanks.

jorune
Posts: 174
Joined: Fri Jul 02, 2004 5:05 pm
Location: Chicago, IL

Post by jorune » Thu Oct 21, 2004 5:45 pm

I'll put another post later with step by step, calmly written procedures on what I think my problem is and what steps according to KB articles I have taken (

That sounds like a good first step. Try to gather as much information as you can and then formulate what you think the problem is, and then post about it here. This should help you get the information you need from the community here.

Leave out the remarks and other comments, and that will help too. :lol:

Good luck!

-Johnny

MrByte
Posts: 663
Joined: Tue Nov 11, 2003 5:33 pm
Location: Florida, USA

Re: aggreed ..

Post by MrByte » Thu Oct 21, 2004 7:00 pm

mail_hater wrote:maybe the programmers should read the docs to see if the product actually does what it claims?
well...errr. Ihave been using ME Pro for over a year now, and bever had the issues you say. Luck? don't think so, because I have a whole pletora of attempts going against my server..... so, I belive, the server does what it claims.
Most of my problems are probably coming from mis-configuration.
Hopefully yes.......

Also, have you, just for the sake of it, tried changing password on your account?

From the logs, it appears as if the sender was authenticated, but that might be a wrong interpretation.
You deffinetively would have to check the SMTP Relaying options:
- On the Relay tab:
- Allow Mail Relay: checked
- Allow e-mail for Authentication: checked. In the Auth Method Button, the first option should be selected.
- Allow Relay for Privileged IPs: NOT checked unless you have good reason for it
- Allow Relay for local sender addresses: NOT CHECKED


STOP the SMTP service and then Start again.

With these settings, if someone is relaying trough your system, he is doing it as an authenticated user, meaning he has a User/Password that is valid/active on your ME server

Good Luck
.MrByte

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable » Thu Oct 21, 2004 8:32 pm

A simple test to determine if your server is secured can be done at http://www.mailenable.com/tools.

Typically, once the server has been configured/secured, there should be little to do other than periodically inspect the logs of the server to ensure the servers integrity.

There are no known security issues with respect to current releases of MailEnable products. A correctly secured server should only be able to be comprimised for relay through use a known password.

I noticed that you posted your e-mail address onto the forum. I editied the address to prevent spam crawlers from adding it to their lists. Your probably best to avoid publishing your actual address (or anyone elses) on web pages. Also, your passwords were posted as base 64 strings from the mailenable logs - this would allow others to decode your password and abuse your server. I also removed, but you may want to change your password as a precaution.

In this instance, it seems that you have received a large amount of mail addressed to your own local addresses (probably because it has been added to a spam bomb list).

You probably have had enough to read, but the ASTA proposal provides some useful guidelines for protecting servers from abuse. http://postmaster.aol.com/asta/proposal_html.html

Without reviewing the logs, I would suggest that you ensure the following:

1. You are running the current release
2. You disable any unused catch-all addresses
4. Ensure you provide a minimal number of mailbox autoresponder or redirection messages.
5. Review each of:

a) Reverse DNS Blacklisting
b) Turn on settings for requiring PTR records
c) Blocking senders after too many failed commands
d) use SMTP access control to block chronic abuse address ranges by inspecting logs

You should only need to take this initiative once. Once a policy has been forumulated around the above, it should see you out.
Regards, Andrew

confused.

SMTP settings ...

Post by confused. » Thu Oct 21, 2004 8:49 pm

I have privlidged ip's checked and set to both the ip of the machine and 127.0.0.1 so ColdFusion can use mail server.

the other settings match what you suggest.

maybe I don't understand log file format ...
ie

this is what I expect to see when authenticated user sends mail:

10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 EHLO EHLO Phreaked 250-websauce.net [24.18.252.123], this server offers 4 extensions 127 15
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 AUTH YmVuamFtaW5Ad2Vic2F1Y2UubmV0 334 UGFzc3dvcmQ6 18 30
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 AUTH *== 235 Authenticated 19 14
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 Requested mail action okay, completed 43 36
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 RCPT RCPT TO: <JAlvarez[at]westerncollege.com> 250 Requested mail action okay, completed 43 40
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 RSET RSET 250 Requested mail action okay, completed 43 6
10/21/04 16:28:53 SMTP-IN 464 24.18.252.123 MAIL MAIL FROM: <benjamin[at]websauce.net> 250 Requested mail action okay, completed 43 36
10/21/04 16:28:54 SMTP-IN 464 24.18.252.123 RCPT RCPT TO: <JAlvarez[at]westerncollege.com> 250 Requested mail action okay, completed 43 40
10/21/04 16:28:54 SMTP-IN DBB23C1D11F541EC8F416446A269C2.MAI 464 24.18.252.123 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
10/21/04 16:28:56 SMTP-IN DBB23C1D11F541EC8F416446A269C2.MAI 464 24.18.252.123 QUIT QUIT 221 Service closing transmission channel 42 6
10/21/04 16:28:57 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 CONN 220 corpnt1.westerncollege.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2650.21) ready 0 106
10/21/04 16:28:57 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 EHLO EHLO websauce.net 250-corpnt1.westerncollege.com Hello [win457.nexpoint.net] 19 146
10/21/04 16:28:57 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 MAIL MAIL FROM: <benjamin[at]websauce.net> SIZE=2850 250 OK - mail from <benjamin[at]websauce.net>; can accomodate 2850 bytes 46 71
10/21/04 16:28:57 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 RCPT RCPT TO: <JAlvarez[at]westerncollege.com> 250 OK - Recipient <JAlvarez[at]westerncollege.com> 40 50
10/21/04 16:28:57 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 DATA DATA 354 Send data. End with CRLF.CRLF 6 36
10/21/04 16:28:57 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 DATE 250 OK 5 8
10/21/04 16:28:58 SMTP-OU 78BE237BC5244AF789A54C3AAF083.MAI 672 216.135.169.25 QUIT QUIT 221 closing connection 6


versus what I'd consider not right, at at least a message I didn't send:
SMTP OU means it got sent right?

217.107.216.20 CONN 220 Matrix Racer is here 0 26
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 EHLO EHLO websauce.net 250-bugs2k.com 19 86
10/20/04 10:45:43 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 MAIL MAIL FROM: <benjamin[at]websauce.net> SIZE=553 250 Ok 45 8
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 RCPT RCPT TO: <brinchmann[at]newxxxshows.com> 250 Ok 39 8
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 DATA DATA 354 End data with <CR><LF>.<CR><LF> 6 37
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 DATE 250 Ok: queued as 43CC81395A 5 30
10/20/04 10:45:44 SMTP-OU 39F7DE32CCA34B1EAF6B3F18EDFF14.MAI 724 217.107.216.20 QUIT QUIT 221 Bye 6 9


I'm sure it's my misunderstanding of how mail servers/mail enable work versus mailenable not working, but it doesn't seem like it should allow things like the second log post to happen (if it happened)

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable » Thu Oct 21, 2004 8:59 pm

This looks like someone is relaying mail through your server.
You need to find the corresponding SMTP-IN transaction to match this SMTP-OU transaction. You can do this by searching the log for the recipient address brinchmann[at]newxxxshows.com. This will allow you to determine how the message cam in and who it was addressed to. You then need to ensure that mail sent to that address is not bouncing or if there is an issue with the mailbox.

Also, per my earlier post - you probably should avoid using real e-mail addresses and passwords in unsecured forums.
Regards, Andrew

a little less confused

thanks you ...

Post by a little less confused » Thu Oct 21, 2004 9:02 pm

thanks everyone for the tips, and I'll continue to read these docs and then post a little later.

confused

thanks andrew ...

Post by confused » Thu Oct 21, 2004 9:04 pm

sorry, posted again, before I saw your post.
uhh ... can I edit the old posts to make them safe?

confused

relay attempt ..

Post by confused » Thu Oct 21, 2004 9:12 pm

I see that the message came in to another user on a different mailbox.

43 43
10/20/04 10:45:18 SMTP-IN 728 80.181.67.96 MAIL MAIL FROM:<brinchmann@newxxxshows.com> 250 Requested mail action okay, completed 43 40
10/20/04 10:45:21 SMTP-IN 728 80.181.67.96 RCPT RCPT TO:<vince@singingmechanic.com> 250 Requested mail action okay, completed 43 37
10/20/04 10:45:22 SMTP-IN B80B2A6C13C34234B4360D6DF11B4.MAI 728 80.181.67.96 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
10/20/04 10:45:25 SMTP-IN B80B2A6C13C34234B4360D6DF11B4.MAI 728 80.181.67.96 QUIT QUIT 221 Service closing transmission channel 42 6
10/20/04 10:45:43 SMTP-OU

I checked that mailbox, and it didn't have any fowarding or other stuff on it. It was full though. What I don't get is why someone sending a message to another mailbox is making it appear like mail is beging sent from my address?

MailEnable
Site Admin
Posts: 4441
Joined: Tue Jun 25, 2002 3:03 am
Location: Melbourne, Victoria Australia

Post by MailEnable » Thu Oct 21, 2004 9:35 pm

Most probably this:

1. Messages sent by spammer to mailbox to ensure that it is full. Can be done by mailing a single 5 MB video file to the mailbox.

2. Mailbox will send mailbox full messages back to the sender (if in fact you have configured quota notifications to do this).

3. The spammer sends a message to the now full mailbox's e-maill address using a fake/forged from address. The from address in this case would be the e-mail address of the person they want to get the spam message.

4. The message is bounces and is returned to the forged sender address, effectively giving them a message that originated from your server addressed from your postmaster address.

The solution is to review quota usage and the action taken when quotas are exceeded. (MMC - Connectors|postoffice|properties)
Regards, Andrew

MrByte
Posts: 663
Joined: Tue Nov 11, 2003 5:33 pm
Location: Florida, USA

Post by MrByte » Fri Oct 22, 2004 3:21 am

huhhhh :shock: nice one Andrew.....
this reeally means, not having message quota enabled to the outside or...else!!!
.MrByte

Post Reply