A Domino server from one of our customers has been used by spammers. thousends of emails were in the server’s mailbox. The ISP blocked sending mail.The server has the correct SMTP Inbound Control setted: Deny messages to be sent to the following external internet domains: (* means all) and Deny messages from the following internet hosts to be sent to external internet domains:(* means all) both set to *.
Perform Anti-Relay enforcement for these connecting hosts: set to all external hosts.
Exceptions for authenticated users: Authenticated users.
Verify connecting hostname in DNS: was disabled, set it to enabled.
Why can this server be used as relay?
Anti Virus is McAfee GroupShield.
Server is Domino 8.5.1 on Windows 2008 R2.
And, DNS Blacklisting is enabled (zen.spamhaus.org
virbl.dnsbl.bit.nl
cbl.abuseat.org
psbl.surriel.com)
Koos
Subject: check the document properties & headers
Grab a few of those emails in the mail.box. Check the document properties and headers. Look at the Received fields to see what path the messages have taken. This should help you track down where they came from.
It sounds like you allow anything from an authenticated user. Perhaps there is an internal breach/infection.
Test the server to see if the anti-relay configuration actually works. Use a command prompt to send the below commands. IF relaying is blocked, the server shoudl refuse to route from some external domain to some other external domain.
telnet servername 25
HELO bademailaddress@yourdomain
MAIL FROM:
RCPT TO:
DATA
.
QUIT
Subject: Relaying denied in your config
I already performed this test with telnet. Result: relaying denied in your configuration. So oke.I also enabled checking reverse DNS: Verify connecting hostname in DNS: Enabled.
After contacting abuse at the DSL provider that it should be oke, I found entries in the log he also tested relaying. This also was denied.
Koos
Subject: internal?
The spammer may be deliberately sending them to addresses that don’t exist on your network, with the “from” address being the intended spam target. This fails if the intended target’s address is bad, and you end up with dead mails.
Look at the messaging config, SMTP Inbound controls, at the bottom is “Inbound Intended Recipients Controls”. Set the following:
Verify that local domain recipients exist in the Domino Directory: Enabled
Reject ambiguous names: Enabled
Deny mail to groups: Disabled
Restart the router and smtp.
If that doesn’t work, then it is possible that some internal host is infected and routing mail.
Subject: Thanks for help
Thanks for your reply. I will check these settings. Disabling sending mail to groups is not an option as this is used by Domino internal users often. But I know about a notes.ini setting which sets a maximuum of mails, sent to a group.
Thanks
Subject: mail to groups
The option to disable sending mail to groups would apply only on the server you enabled it for, and only for internet mail. So, if you have a separate server for internet email than for user mailfiles, you would be able to do that without disrupting internal group email usage. Internal users could send to a group, even if that group were internet addresses, because the router on THEIR server would break it up into individual messages before it was dropped onto the internet email server.
Subject: Thanks
Thanks for the explanation again.
Koos