Hole in Anti-Relay? (bumped up)

hcl-bot · December 9, 2003, 9:43am

I am very interested to see if anyone has seen this behavior:http://www-10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689b005ba1c0/776dd0108dcce75185256d49006dbb98?OpenDocument&Highlight=0,anti-relay

Basically, the problem is: even with all the anti-Spam / anti-relay devices enabled (see below) my server still appears to be relaying mail!!!

Here is how the configuration is set up on the server:

Inbound Relay Controls

Deny messages to be sent to the following external internet domains: (* means all) *

Deny messages from the following internet hosts to be sent to external internet domains:(* means all) *

Inbound Relay Enforcement

Perform Anti-Relay enforcement for these connecting hosts: All connecting hosts

DNS Blacklist Filters

DNS Blacklist filters: Enabled

DNS Blacklist sites: blackholes.mail-abuse.org; taiwan.blackholes.us; dun.dnsrbl.net; relays.visi.com; list.dsbl.org; opm.blitzed.org; sbl.spamhaus.org; bl.spamcop.net; relays.ordb.org; korea.services.net; proxies.relays.monkeys.com; cn.rbl.cluecentral.net; nigeria.blackholes.us; argentina.blackholes.us; brazil.blackholes.us

Intended Recipients Controls

Verify that local domain recipients exist in the Domino Directory: Enabled

But even with all anti-relay checks enabled, I still see dead mail in my mail.boxes, addressed from external addresses, to external address, which were rejected by external hosts. This means that my server attempted to deliver mail to an external address and the only way I found out about it was that the external server rejected it.

The trick seems to be the following:

SendTo or Recipients field in inbound email contains a valid internal address (myaddress@myserver.com). This causes the Domino server to accept the mail (it passes the “Verify that local domain recipients exist in the Domino Directory” test)
Other fields (recipients, etc) fields contain other, external addresses.
Domino server attempts to deliver mail to those addresses.

Anyone else seen this before I submit it to Lotus?

hcl-bot · December 9, 2003, 11:04am

Subject: Hole in Anti-Relay? (bumped up)

Could you forward the full MIME source of an example? Email address in profile.

Chris Linfoot

hcl-bot · December 9, 2003, 10:03am

Subject: Hole in Anti-Relay? (bumped up)

Happens all the time here.

I’ve noticed it MUCH more since upgrading from R5.0.11 to 6.02CF1. Every morning, there’s about 700 to 1000 dead messages in our 2 mailboxes.

hcl-bot · December 9, 2003, 5:07pm

Subject: I don’t see how this would work…

If you receive a message from someone on the internet, and it’s addressed to you and other people @other domains, your Dominoserver is not going to attempt to deliver the message to those people@otherdomains. If that were true, people would constantly receive duplicates of email messages, as mail would be delivered both by the senders’ SMTPserver, and your Dominoserver. Or did I misunderstand you? Did I miss something?

Are you not simply the victim of a spammer who sends out his junk mail with a spoofed email address @yourdomain.com? If a spammer does that, you will receive the NDR’s. It’s a common thing to happen these days…

Finally, what does the log.nsf tell you? Do you see delivery failures for the dead messages, and do you see successfull mail routing events for spam mail not originating from your own domain? You may want to set the ini variable SMTPCLIENTDEBUG=3 (for a short while to generate more information in the log.nsf.

hcl-bot · December 10, 2003, 10:06am

Subject: RE: I don’t see how this would work…

Are you not simply the victim of a spammer who sends out his junk mail with a spoofed email address @yourdomain.com? If a spammer does that, you will receive the NDR’s.<<<

Gerco,

At first blush, it didn’t appear that this was the case, but you may be right. I will investigate further.

Thanks for your kind help.

Rip Rowan