Wednesday
Mar262008
Mail relays? Check yours.
Wednesday, March 26, 2008 at 5:15AM
I recently found while working on a Barracuda spam appliance that the person who set it up made a tiny mistake. Now I'd be one to admit if it were me but I'm pretty sure it wasn't this time. They had all the steps right up until the second to last one. Let me set the stage...
Now, if you haven't seen it yet, check step number 4 again. See, in step 3 we set up the system so that specific servers were able to relay out through the device. These IPs were entered in by either individual hosts or small subnets of systems that had rights to send out email to the outside world. But in step 4 we then said that any email coming "from" the company's domain (we'll call it xyz.com) was allowed to relay as well. That's an issue because it's fairly simple to both figure out what the company's domain name is and then use it to start sending spam out from anywhere in the world. Lets look at and example session connecting to a Barracuda spam appliance via SMTP: (Note: The bold lines are the commands that I wrote.)
The problem with allowing xyz.com to relay is that it takes precedence over the IP list that was setup in 3. This means that with that first line (spam1-svr.xyz.com), a spammer knows what the local domain is. Now all they need to do is start making up email addresses that may or may not exist in your domain and they too can use you as an open relay.
If you're on a Barracuda box, the screen is located at Advanced->Outbound/Relay and looks like this:
Please, make sure that you're not using the Senders With Relay Permission or Trusted Relay Host/Domain sections of the relaying tab. Take the time to enter the IPs of the systems that need relaying and if you can, use LDAP lookups to verify that the sending email address is actually someone who exists. You'll thank me later -- when you're not blacklisted in 10 different systems and your users' email can't get through.
- Three spam filters from Barracuda Networks spread out accross the globe.
- All three have a similar configuration setup on them. (Check for spam on the inbound and act as the primary, secondary and tertiary outbound relays for internal mail heading out to the wide, wide world we call the Internet.)
- Setup allowed Relay IP addresses (internal mail servers, certain paging systems, even a multi-function printer or two).
- Add the companies domain name to the list of allowed relayers...
- Turn on the appliances and setup the MX records outside so we have a "fail-safe", redundant, spectacular, awesome email spam fighting system!
Now, if you haven't seen it yet, check step number 4 again. See, in step 3 we set up the system so that specific servers were able to relay out through the device. These IPs were entered in by either individual hosts or small subnets of systems that had rights to send out email to the outside world. But in step 4 we then said that any email coming "from" the company's domain (we'll call it xyz.com) was allowed to relay as well. That's an issue because it's fairly simple to both figure out what the company's domain name is and then use it to start sending spam out from anywhere in the world. Lets look at and example session connecting to a Barracuda spam appliance via SMTP: (Note: The bold lines are the commands that I wrote.)
220 spam1-svr.xyz.com ESMTP (d2f98b7a83b562327asdcjb25227d4f7)
HELO xyz.com
250 spam1-svr.xyz.com Hello laptop-lt [malicious.ip.from.outside], pleased to meet you
MAIL FROM:someone@xyz.com
250 Ok
RCPT TO:anotherperson@zyx.com
250 Ok
DATA
354 Start mail input; end with.
This is an email
.
250 Ok: queued as AAEDC3SKB1CE
The problem with allowing xyz.com to relay is that it takes precedence over the IP list that was setup in 3. This means that with that first line (spam1-svr.xyz.com), a spammer knows what the local domain is. Now all they need to do is start making up email addresses that may or may not exist in your domain and they too can use you as an open relay.
If you're on a Barracuda box, the screen is located at Advanced->Outbound/Relay and looks like this:
Please, make sure that you're not using the Senders With Relay Permission or Trusted Relay Host/Domain sections of the relaying tab. Take the time to enter the IPs of the systems that need relaying and if you can, use LDAP lookups to verify that the sending email address is actually someone who exists. You'll thank me later -- when you're not blacklisted in 10 different systems and your users' email can't get through.
Reader Comments (8)
[...] router or firewall went down or why the spam appliance is blocking all incoming email (or worse, allowing open relaying)… Just don’t give them the keys to the castle — they’re yours and yours [...]
Good article! However, in the trusted relay ip/range section, since those addresses start with 10, aren't they class A addresses. Would that mean you would need to then use a subnet mask of 255.0.0.0 to the right of them?
Just curious!
Drew,
You are correct that they are class A addresses but you do not have to use a /8 subnet mask with them. This means that if I wanted to say all of 10.1.0.0-10.1.254.254 I could say 10.1.0.0 with a subnet mask of 255.255.0.0. Still valid as long as you aren't using a classful Cisco configuration.
I didn't understand the concluding part of your article, could you please explain it more?
I follow you VIA GFC and I love your blog! bxpegk bxpegk - Mulberry Bags Outlet.
An dieser Stelle ein Motorrad Taxifahrer den Menschen helfen, Kontakt 1 Caiyi Deng hat keine Genehmigung für das versprechen wir durch die Zeit des Baches, viele, um die Kosten für viele. Anschlie?end
verschieben ugg Schuhe Ger?t ein Mitgliedsverband prost, billige uggs Steckdose,kostengünstige uggs Parkplatz der Bus-Gate w?hrend turnin, wandte sich nahezu und fuhren in Richtung Süden des Yangtze.
Das Feld ist bereit zur Umkehr zu Waffenruhe ?ffnen, wenn pl?tzlich ein kleines Holzboot umgeworfen, fiel alle 12 Menschen an Bord ins Wasser. noch einen Blick von Panik.(ugg boots deutschland)
Chang Kleinbus apt der Stadt Fengjie Qutang Dorf Bai Di Vater, feiern Yang Xiaolin Freunden 70. Geburtstag.
obwohl, sehen andere Menschen haben Alarm enthalten ist, und Cai Yi Fan Shen ertrinken Menschen k?mpfen, um zu den anderen schwimmen zu emanzipieren.
(ugg boots sale)
Wanzhou Reporter Journalist Station Korrespondent Huang Jinhua Zhang Xingmao Fotoreportagen
ugg boots billig
ugg boots
Just before purchasing any designer louis vuitton handbag, it really is important to understand the hardware of that particular brand. For a lot more details, you might browse through the Louis Vuitton internet louis vuitton sale site or spend a check out towards the nearest LV boutique wherein you would have the ability to get a lot more data. Have a look at for the date codes or if the brand utilizes any particular style like feet or no matter whether they have a lining produced of any distinct fabric louis vuitton.Due to the fact of his extensive luggage expertise, Louis Vuitton began designing luggage for the wealthy who traveled. His 1st invention was to design luggage that was flat and as a result effortless to stack in railway carriages.So Why do people search for Louis Vuitton handbag value lists? louis vuitton outlet is due to the fact everyone would know that virtually all Louis Vuitton outlets worldwide don't ever advertise their costs in shop. The issue that a lot of people have is that they don't know how much every single item would typically price before hand.In case you intend acquiring your louis vuitton sale from a high end departmental shop or an louis vuitton outlet, then it is possible to be assured about the authenticity. These stores would sell only genuine Louis Vuitton stuff.
That was my thought,too. aongvv aongvv - moncler jackets.