It seems that some relay spammers are still getting my Domino server to relay mail for them even though I believe I’ve set all the relay controls correctly. I’ve blocked relaying from all hosts except those who authenticate. I’ve turned on Blacklist filters. I’ve even blocked a few specific IP’s. I’ve also told it to validate all incoming addresses against the domino directory. (These filters are working since I’m rejecting about 50,000 relay attempts per day) I’m wondering if one of my user accounts has been compromised. Does anyone know of a way to tell if the connecting SMTP servers are authenticating or not. or Any other suggestions would be welcome 
Subject: Spam relaying still getting through…
In the Configuration document for the server go to the Router/SMTP > Restrictions and Controls > SMTP Inbound Controls section. In the field “Allow messages only from the following internet hosts to be sent to external internet domains” enter your local subnet, such as [192.168.1.*]. The braces are necessary.
Here is a URL with more documentation on securing a Domino server. It’s all in R5 but applies to ND6 as well: http://www.bluestream.org/Domino/AntiSPAM.htm
Hope that helps,
Charles
Subject: RE: Spam relaying still getting through…
Thanks, but I need external roaming users to be able to relay from various ISPs around the world so I can’t just shut down everything but the internal.
Subject: RE: Spam relaying still getting through…
Set it up so that those external users have to authenticate. So unauthenticated users cannot relay, but authenticated can. It’s a feature in the relay controls
Subject: RE: Spam relaying still getting through…
Thanks but I’m already doing that. It stops most but some are still getting through! I’m not sure how they’re doing it.
Subject: RE: Spam relaying still getting through…
Do you have trace output that shows these relays ? How do you know that they are occuring ?
(Note, I’m not doubting, I’de like to see more details).
Subject: RE: Spam relaying still getting through…
How I know is that could watch the email being transfered via the console to internet address and the my mail boxes were filling up with thousands of rejected emails, ie invalid address and such. Below is some sample output to my logfile
06/28/2003 12:16:13 AM SMTP Server: 200-63-129-72.speedy.com.ar (200.63.129.72) disconnected. 0 message[s] received
06/28/2003 12:16:13 AM Router: Message 00226D76 transferred to mailin-01.mx.NETSCAPE.NET for gretchen2@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226D76 transferred to mailin-01.mx.NETSCAPE.NET for hellhole69@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226D76 transferred to mailin-01.mx.NETSCAPE.NET for kwilhoit@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226F90 transferred to mailin-01.mx.NETSCAPE.NET for j_momberg@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226F90 transferred to mailin-01.mx.NETSCAPE.NET for emhilton@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226F90 transferred to mailin-01.mx.NETSCAPE.NET for acorky@netscape.net via SMTP
06/28/2003 12:16:13 AM SMTP Server: 211.144.101.74 connected
06/28/2003 12:16:13 AM SMTP Server: 211.144.101.74 disconnected. 0 message[s] received
06/28/2003 12:16:14 AM SMTP Server: 211.144.101.74 connected
06/28/2003 12:16:14 AM SMTP Server: Message 002271FC (MessageID: ) received
06/28/2003 12:16:14 AM SMTP Server: 218.104.6.10 disconnected. 0 message[s] received
06/28/2003 12:16:15 AM SMTP Server: Remote host 218.104.6.10 () found in DNS blacklist at bl.spamcop.net
06/28/2003 12:16:15 AM SMTP Server: Message from 218.104.6.10 () rejected by DNS blacklist filter
Subject: RE: Spam relaying still getting through…
As I said, I’m not doubting. However there may be a logical explanation.
For example, lets take a look at the output
06/28/2003 12:16:13 AM Router: Message 00226D76 transferred to mailin-01.mx.NETSCAPE.NET for gretchen2@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226D76 transferred to mailin-01.mx.NETSCAPE.NET for hellhole69@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226D76 transferred to mailin-01.mx.NETSCAPE.NET for kwilhoit@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226F90 transferred to mailin-01.mx.NETSCAPE.NET for j_momberg@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226F90 transferred to mailin-01.mx.NETSCAPE.NET for emhilton@netscape.net via SMTP
06/28/2003 12:16:13 AM Router: Message 00226F90 transferred to mailin-01.mx.NETSCAPE.NET for acorky@netscape.net via SMTP
06/28/2003 12:16:13 AM SMTP Server: 211.144.101.74 connected
06/28/2003 12:16:13 AM SMTP Server: 211.144.101.74 disconnected. 0 message[s] received
06/28/2003 12:16:14 AM SMTP Server: 211.144.101.74 connected
06/28/2003 12:16:14 AM SMTP Server: Message 002271FC (MessageID: ) received
2 messages were sent outbound, 00226D76 and F90 were sent to netscape.
There’s nothing here that says that this is a relay, although I grant you it’s awfully fishy.
Then we get 2 incoming sessions from 211.144.101.74. One sent nothing, but the second sent message 002271FC
Again, its not a relay at this point. So the big questions are, where did messages 00226D76 and F90 come from ? Do we have logs for that ?
Then, where did message 002271FC go ? Do we have logs for that.
Ideally, you would turn on SMTPDebug and SMTPDebugIO to gather more information on the incoming sessions.
These are the key to the problem. Once the message arrives in mail.box its fair game. All the controls are on that inbound session.
Can you turn these traces on and generate some traces that show an incoming session that generates a message that is subsequently relayed ?