I recently found while working on a Barracuda spam appliance that the person who set it up made a tiny mistake. Now I’d be one to admit if it were me but I’m pretty sure it wasn’t this time. They had all the steps right up until the second to last one. Let me set the stage…
- Three spam filters from Barracuda Networks spread out accross the globe.
- All three have a similar configuration setup on them. (Check for spam on the inbound and act as the primary, secondary and tertiary outbound relays for internal mail heading out to the wide, wide world we call the Internet.)
- Setup allowed Relay IP addresses (internal mail servers, certain paging systems, even a multi-function printer or two).
- Add the companies domain name to the list of allowed relayers…
- Turn on the appliances and setup the MX records outside so we have a “fail-safe”, redundant, spectacular, awesome email spam fighting system!
Now, if you haven’t seen it yet, check step number 4 again. See, in step 3 we set up the system so that specific servers were able to relay out through the device. These IPs were entered in by either individual hosts or small subnets of systems that had rights to send out email to the outside world. But in step 4 we then said that any email coming “from” the company’s domain (we’ll call it xyz.com) was allowed to relay as well. That’s an issue because it’s fairly simple to both figure out what the company’s domain name is and then use it to start sending spam out from anywhere in the world. Lets look at and example session connecting to a Barracuda spam appliance via SMTP: (Note: The bold lines are the commands that I wrote.)
220 spam1-svr.xyz.com ESMTP (d2f98b7a83b562327asdcjb25227d4f7)
HELO xyz.com
250 spam1-svr.xyz.com Hello laptop-lt [malicious.ip.from.outside], pleased to meet you
MAIL FROM:someone@xyz.com
250 Ok
RCPT TO:anotherperson@zyx.com
250 Ok
DATA
354 Start mail input; end with.
This is an email
.
250 Ok: queued as AAEDC3SKB1CE
The problem with allowing xyz.com to relay is that it takes precedence over the IP list that was setup in 3. This means that with that first line (spam1-svr.xyz.com), a spammer knows what the local domain is. Now all they need to do is start making up email addresses that may or may not exist in your domain and they too can use you as an open relay.
If you’re on a Barracuda box, the screen is located at Advanced->Outbound/Relay and looks like this:
Please, make sure that you’re not using the Senders With Relay Permission or Trusted Relay Host/Domain sections of the relaying tab. Take the time to enter the IPs of the systems that need relaying and if you can, use LDAP lookups to verify that the sending email address is actually someone who exists. You’ll thank me later — when you’re not blacklisted in 10 different systems and your users’ email can’t get through.