Operating System - OpenVMS
1825601 Members
2477 Online
109682 Solutions
New Discussion

TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

 
Martin Borgman
Occasional Advisor

TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

I currently see a lot of spam being routed through virus infected PC's. See the mail header part below.

Return-Path: toqawiger@alemail.com
Received: from ip.85.202.142.138.dyn.pool-3.broadband.voliacable.com (85.202.142.138)
by mynode.mydomain (V5.4-15E, OpenVMS V7.3-2 Alpha);
Sun, 3 Apr 2005 14:49:01 +0200 (MET DST)
Received: from alemail.com (alemail-com.mr.outblaze.com [205.158.62.177])
by ip.85.202.142.138.dyn.pool-3.broadband.voliacable.com (Postfix) with ESMTP id D2VWPG955H
for ; Sun, 3 Apr 2005 15:48:42 +0000

All the mail originates at *.mr.outblaze.com, but the from domain, alemail.com in this case, changes all the time and translates back to the ip-adress of *.mr.outblaze.com.
The node that relays the mail to my mail server appears to be a virus infected PC and changes with every mail I see. De ip-address of the PC also translates back to an existing domain with MX record.

I have the following settings in smtp.config:

!!!Good-Clients: relay.dec.com, 16.20.0.0/16, 16.20.208.1
Good-Clients: 192.168.0.0/24
!
!!!Bad-Clients: 1.2.3.5, 11.1.0.0/8
Bad-Clients: 213.189.173.179, 200.121.83.234
!
!
RBLs: bl.spamcop.net,
relays.visi.com,
relays.ordb.org,
opm.blitzed.org,
list.dsbl.org,
dnsbl.sorbs.net,
sbl-xbl.spamhaus.org
!
!!!Relay-Based-On-Mx: TRUE
!
Reject-Unbacktranslatable-IP: TRUE
!
Accept-Unqualified-Senders: FALSE
!
Accept-Unresolvable-Domains: FALSE
!
!!!Reject-Mail-From: *.xyz.com, known.spammer@*, *the_internet*
!
Reject-Mail-From: sam@alcyone.darkside.com, *.mr.outblaze.com, *.umass.edu
!
!!!Accept-Mail-From: *@notabadguy.xyz.com, the_internet_news@somehwere.com
!
SPAM-Action: OPCOM, ACCOUNTING
!
Security: SECURE
!
Unbacktranslatable-IP-Text: Your IP address is unbacktranslatable. SPAMMER!
Bad-Clients-Text: You dirty SPAMmer.
Client-In-RBL-Text: I Spotted you in an RBL. SPAMBREATH!
Reject-Mail-From-Text: Haven't you SPAMmed me before?
Unqualified-Sender-Text: MAIL FROM who? You've got to be kidding.
Unresolvable-Domain-Text: MAIL FROM where? Yeah right.
SPAM-Relay-Text: Trying to launch your SPAM from my site will get you nowhere.

How do I stop this kind of spam?
14 REPLIES 14
Robert Atkinson
Respected Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Surely you should be tackling the problem at source. If the PC is on your network, clean it up. If not, block it from sending mail to your SMTP server.

Robert.
Martin Borgman
Occasional Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

The infected PC's are not on my local network. They are all over the internet.
Blocking the PC doesn't help because the next spam mail will come from another infected PC.
So for every every spam message I receive from outblaze.com, the relay is a different PC, The from address including the domain part is different, the from domain exists and has a MX record.
The only thing that appears to be the same for all these messages is the IP-address of the sender domain.
DICTU OpenVMS
Frequent Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Hey Martin !


Dus je hebt je VMS doosje rechtstreeks aan het internet ? Heeft het niet met relay te maken ? Xs4all controleert de SMTP servers daar op toch ? Er is een site met richtlijnen om relay te voorkomen, maar weet de URL niet direct meer... Via deze moet je er wel komen : http://www.xs4all.nl/helpdesk/mail/advanced/openrelay_faq.html

Verder alles goed ?


As I belief it must have something to do with the relaying. I think your mailserver is a litle bit to open... ;-)
Martin Borgman
Occasional Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Hi Menco,

and these are the result from the jury:

Mail relay testing
Connecting to mynode.mydomain for anonymous test ...

<<< 220 mynode.mydomain V5.4-15E, OpenVMS V7.3-2 Alpha ready at Thu, 7 Apr 2005 19:07:44 +0200 (MET DST) 
>>> HELO www.abuse.net
<<< 250 mynode.mydomain Hello abuse.net, pleased to meet you


Relay test 1
>>> RSET
<<< 250 OK
>>> MAIL FROM:
<<< 250 ... Sender OK
>>> RCPT TO:
<<< 551 Trying to launch your SPAM from my site will get you nowhere.


Relay test 2
>>> RSET
<<< 250 OK
>>> MAIL FROM:
<<< 550 MAIL FROM who?Â
Willem Grooters
Honored Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Add these lines to prevent usage as mail relay:

Relay-Zones: ,


(add to this list what domains you accept)

it will block any attempt to use your mailserver to send mail elsewhere, and allow only mail intenmded for the domains you accept. (Your own, obviously)

Willem
Willem Grooters
OpenVMS Developer & System Manager
Willem Grooters
Honored Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

@Menco:

My VMS box is behind a firewall - that is just routing any traffic on a few ports directly to my VMS box without restrictions to outside addresses - SMTP is one of these. So effectively - it is directly connected to the Internet. I guess Martin's machine is as well.
The link you issued will lead to information on Windows and Unix mail programs only. No info (as usual ;-() on VMS mail (I doubt the XS4ALL helpdesk knows about VMS at all)

So for your reference, I have added the configuration as on my VMS box as an example. Of course, the personal data has been removed.
This setup has been effective since Dec 2003, without other alterations than allowing a few specific users on an otherwise blocked domain.
Use it to your advantage.

Willem
Willem Grooters
OpenVMS Developer & System Manager
Martin Borgman
Occasional Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Hi Willem,

My mail server is not an open relay.
It doesn't relay any mail.
And I don't want it to relay mail to any domain.

I just don't want to receive this kind of spam.
If only there was a rule to reject by original sender ip-address. SMTP MAIL does the DNS lookup.
Willem Grooters
Honored Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Add these in Reject-Mail-From list.
Willem Grooters
OpenVMS Developer & System Manager
Willem Grooters
Honored Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Martin:

for MX-based relay:
!!!Relay-Based-On-Mx: TRUE

Make that active.
Combined with

Reject-Unbacktranslatable-IP: TRUE

it may block valid domains. Best you define _some_ server (mail.domain.tlb) in your hostfile, the addresses can be obtained drom the log mesages (and DIG), may take some work but will keep the rubbish out.

Willem
Willem Grooters
OpenVMS Developer & System Manager
Martin Borgman
Occasional Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Hi Willem,

In the TCP/IP management guide you can read the following:

Relay-Based-On-Mx TRUE or FALSE.

If TRUE, the SMTP server accepts relays from unknown clients to recipients where the recipient's domain has an MX record naming the local host as a gateway.

The spam I,m referring to is targeted at users in my mail domain.

So this rule will not help.
Willem Grooters
Honored Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's



so you'll have to block the outside world.

What you could do is to create your own RBL and specify that one, containg the addresses you know to be infected PC.s Daunting task - if the address is often changing!

How did you start SMTP by the way? /NORELAY, I think (not relaying as you said) but IIRC the default was /RELAY in an earlier version. And if your clients connect to your server for outgoing mail, it must be set up /RELAY (or am I mistaken?)
Willem Grooters
OpenVMS Developer & System Manager
Willem Grooters
Honored Contributor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

try to block :
alemail.com
*.outblaze.com
205.158.62.177
205.158.*.* (This may impose false positives - but chances are pretty low, I think)
Willem Grooters
OpenVMS Developer & System Manager
Martin Borgman
Occasional Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Hi Willem,

>
>
> so you'll have to block the outside world.

Yes!

> What you could do is to create your own RBL and specify > that one, containg the addresses you know to be
> infected PC.s Daunting task - if the address is often
> changing!

You can achieve the same thing by making them Bad-Clients

> How did you start SMTP by the way? /NORELAY, I think > (not relaying as you said) but IIRC the default was
>/ RELAY in an earlier version. And if your clients connect
> to your server for outgoing mail, it must be set up
> /RELAY (or am I mistaken?)

And I would like to add that the RELAY option is, in most cases, not the one you need to stop your server from relaying mail.
To answer the rest your question:

TCPIP SMTP configuration data:
Server-Nodes : NYNODE
Queue-Name : TCPIP$SMTP_MYNODE_00
Alternate-Gateway :
General-Gateway :
Substitute-Domain :
Zone :
Postmaster-Alias : Postmaster
Postmaster-Forwards-To : SYSTEM
Foreign-Transport-Synonyms :
Initial-Interval : 0 00:30:00.00
Retry-Interval : 0 01:00:00.00
Retry-Maximum : 3 00:00:00.00
Receive-Timeout : 5
Retry-Address : 16
Hop-Count : 16
Symbiont-Snapshot-Blocks : 0
Receiver-Snapshot-Blocks : 0
Utilities-Snapshot-Blocks : 0
Send-Timeout-Init : 5
Send-Timeout-Mail : 5
Send-Timeout-Rcpt : 5
Send-Timeout-Data : 3
Retry-Address : 16
Hop-Count : 16
Symbiont-Snapshot-Blocks : 0
Receiver-Snapshot-Blocks : 0
Utilities-Snapshot-Blocks : 0
Send-Timeout-Init : 5
Send-Timeout-Mail : 5
Send-Timeout-Rcpt : 5
Send-Timeout-Data : 3
Send-Timeout-Term : 10
Log-Level : 2
Receiver-Debug : 0
Receiver-Trace : 0
Symbiont-Debug : 0
Symbiont-Trace : 0
Utilities-Debug : 0
Utilities-Trace : 0
EF-Debug-Level : 0
Channel-Debug-Level : 0
Header-Placement : TOP
Eightbit : FALSE
Relay : TRUE
Altgate-Always : FALSE
Mx-If-Noaltgate : FALSE
No-Mx : FALSE
No-Subs-Domain-Inbound : FALSE
Smtp-Jacket-Local : TRUE
Cent-Sign-Hack : TRUE
Nosey : TRUE
Log-Line-Numbers : FALSE
Memory-Debug : FALSE
Mail$Protocol-Debug : FALSE
CF-Debug : FALSE
Parse-Debug : FALSE
Deliver-VMS-Def-To : FALSE
Deliver-NoXVMS : FALSE
MTS-From-Hack : FALSE
Rewrite-MTS-From : FALSE
Local-Alias-Only : FALSE
Relay-Based-On-Mx : FALSE
Reject-Unbacktranslatable-IP : TRUE
Accept-Unqualified-Senders : FALSE
Accept-Unresolvable-Domains : FALSE
SFF-Requires-Priv : FALSE
8BitMIME-Hack : FALSE
Suppress-Version-Info : FALSE
Symbiont-Checks-Deliverability: TRUE

Other TCPIP SMTP environment data:
SMTP Software Username : TCPIP$SMTP
SMTP Software Default Director: SYS$SPECIFIC:[TCPIP$SMTP]
Symbiont Log File : SYS$SPECIFIC:[TCPIP$SMTP]TCPIP$SMTP_LOGFILE.LOG

And yes, this configuration does not relay mail as you can see in the relay test I ran a few days ago.
Martin Borgman
Occasional Advisor

Re: TCPIP$SMTP antispam; How to stop spam relayed through virus infected PC's

Hi Willem,

> try to block :
> alemail.com

Well, this part changes with every mail I receive. No point in blocking it.

> *.outblaze.com

Well, I tried mr.outblaze.com and it didn't help. I didn't expect it to help, but what the heck.

> 205.158.62.177
> 205.158.*.* (This may impose false positives - but
> chances are pretty low, I think)

This unfortunately doesn't work in the Reject-Mail-From setting.

By the way. To make any of the settings in SMTP.CONFIG work, you have to set the SMTP RELAY option.

TCPIP> SMTP SET CONFIGURATION/OPTION=RELAY