Solved

DOMINO 8.5 huge SPAM issue

Posted on 2010-08-31
11
1,254 Views
Last Modified: 2013-11-17
Hi Experts,

Thousands of emails are relaying daily by outside SPAMMERS on our Domino 8.5 server (RedHat 5.2)

Bellow is my Domino config, can you please help me to track down if plaything wrong here.
Let me know if you need any more screen-shots.

Thanks a lot !
SMTP-inbound-01.jpg
SMTP-inbound-02.jpg
SMTP-outbound.jpg
dilivery-controlls.jpg
Transfer-Controls.jpg
Router-SMTP-Basic.jpg
0
Comment
Question by:Shakthi777
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 4

Expert Comment

by:MtnChick
ID: 33569596
The only thing I've found that truly helps is a spam filter.  I use Spam Sentinel www.maysoft.com and it is a great product at a reasonable cost.  The support staff are extremely helpful too.
0
 

Author Comment

by:Shakthi777
ID: 33569613
below is just a 25% of Mail Routing Events for past hour, server is very slow due to these accesses...
xx/xx/xxxx 09:47:47 PM SMTP Server: 18262a7a.cst.lightpath.net (24.38.42.122) connected
xx/xx/xxxx 09:47:57 PM SMTP Server: 112.135.91.222 disconnected. 0 message[s] received
xx/xx/xxxx 09:48:10 PM SMTP Server: 125.234.239.197.hcm.viettel.vn (125.234.239.197) connected
xx/xx/xxxx 09:48:13 PM SMTP Server: 18262a7a.cst.lightpath.net (24.38.42.122) disconnected. 0 message[s] received
xx/xx/xxxx 09:48:32 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) connected
xx/xx/xxxx 09:48:37 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) connected
xx/xx/xxxx 09:48:57 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:00 PM SMTP Server: 73-42-94-178.pool.ukrtel.net (178.94.42.73) connected
xx/xx/xxxx 09:49:01 PM SMTP Server: 73-42-94-178.pool.ukrtel.net (178.94.42.73) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:03 PM SMTP Server: 125.234.239.197.hcm.viettel.vn (125.234.239.197) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:04 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:06 PM SMTP Server: 61.153.226.54 connected
xx/xx/xxxx 09:49:16 PM SMTP Server: 202.102.44.120 connected
xx/xx/xxxx 09:49:25 PM SMTP Server: 60.191.129.2 connected
xx/xx/xxxx 09:49:37 PM SMTP Server: 61.153.226.54 disconnected. 0 message[s] received
xx/xx/xxxx 09:49:46 PM SMTP Server: smtp2a.orange.fr (80.12.242.140) connected
xx/xx/xxxx 09:49:47 PM SMTP Server: smtp2a.orange.fr (80.12.242.140) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:49 PM SMTP Server: 202.102.44.120 disconnected. 0 message[s] received
xx/xx/xxxx 09:49:56 PM SMTP Server: 60.191.129.2 disconnected. 0 message[s] received
xx/xx/xxxx 09:50:10 PM SMTP Server: 201.238.244.76 connected
xx/xx/xxxx 09:50:18 PM SMTP Server: customer-201-134-185-163.uninet-ide.com.mx (201.134.185.163) disconnected. 0 message[s] received
xx/xx/xxxx 09:50:36 PM SMTP Server: 211.154.141.39 connected
xx/xx/xxxx 09:50:47 PM SMTP Server: 201.238.244.76 disconnected. 0 message[s] received
xx/xx/xxxx 09:51:02 PM SMTP Server: 211.154.141.39 disconnected. 0 message[s] received
xx/xx/xxxx 09:51:52 PM SMTP Server: 112.64.15.218.broad.cz.gd.dynamic.163data.com.cn (218.15.64.112) connected
xx/xx/xxxx 09:51:54 PM SMTP Server: 112.64.15.218.broad.cz.gd.dynamic.163data.com.cn (218.15.64.112) disconnected. 0 message[s] received
xx/xx/xxxx 09:51:56 PM SMTP Server: 202.131.226.205 connected
xx/xx/xxxx 09:52:43 PM SMTP Server: 202.131.226.205 connected
xx/xx/xxxx 09:52:49 PM SMTP Server: 202.131.226.205 disconnected. 0 message[s] received
xx/xx/xxxx 09:53:13 PM SMTP Server: 195.117.61.5 connected
xx/xx/xxxx 09:53:26 PM SMTP Server: 202.131.226.205 disconnected. 0 message[s] received
xx/xx/xxxx 09:53:44 PM SMTP Server: 195.117.61.5 disconnected. 0 message[s] received
xx/xx/xxxx 09:55:31 PM SMTP Server: 201.238.244.76 connected
xx/xx/xxxx 09:56:07 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) connected

Open in new window

0
 
LVL 4

Expert Comment

by:MtnChick
ID: 33570170
That's how my server was until I started using spam sentinel.  You can have it blocked from the server or sent to a database.  Plus I get a report everyday and so do my users.  
0
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 63

Accepted Solution

by:
SysExpert earned 500 total points
ID: 33570262
Prevent Spam Relaying on Your Domino Server
by Scott Thomas

In the past few weeks, I have received several questions from people wondering if it's possible to configure a Domino mail server to control Internet SMTP mail relaying. Ironically, this is one of the first security issues that I investigate on client sites.

I, for one, get several annoying spam e-mails per day. I usually examine those mail headers to try to determine how they are delivered so that I may inform the owners of the open SMTP mail servers. Most times these spammers use free dial-up accounts and then bounce their e- mails off of unlocked e-mail servers. Unfortunately, some of these unlocked servers are indeed Domino servers open for relaying.

I am from the "old school" of SMTP mail routing, and I like to use Unix servers running Sendmail on the Internet while my Domino servers are placed securely behind a network firewall. I then have all my Domino servers route through these Unix boxes. Sendmail is configured not to allow relaying and routes appropriate inbound SMTP mail to my company.

Probably the main reason I like the above configuration is the fact that prior to R5 of Domino, preventing SMTP relaying was somewhat difficult to control. Now with R5, it is possible to configure a Domino server to perform in the manner explained above using Sendmail on Unix machines. These SMTP relay controls can be found and configured in the Domino configuration document in the Domino Directory.

The SMTP Inbound Controls tab is the section we will examine. Many of these fields appear to perform the same functions. However, examine the headings of each section to understand how matching criteria is determined. Some sections perform relaying controls via connections, some by sending controls, and some by SMTP fields.

SECTION: Inbound Relay Controls

FIELD: Allow messages from external Internet domains to be sent only to the following Internet domains:

This field sets the Internet domains to which your system relays messages sent by hosts outside the local Internet domain. If your mail domain is Acme.com and you wish to accept mail from external SMTP users destined to Acmetoo.com, then place Acmetoo.com within this field. As a result, e-mail will traverse from a local SMTP mail client to your Domino server, then to Acmetoo.com's mail server. All other SMTP mail domains will be denied. It is important that if your Domino server will be sitting on the Internet routing inbound SMTP mail, you should at least place your Internet domain within this field. If left blank, all SMTP mail can be relayed through the server.

FIELD: Deny messages from external Internet domains to be sent to the following Internet domains:
This field will rarely be used, but it has the opposite effect of the above said field. In other words, if you place Acmetoo.com in this field, all SMTP domains can relay through your server except Acmetoo.com.

FIELD: Allow messages only from the following external Internet hosts to be sent to external Internet domains:

Within this field, you can place the hostnames and/or the IP addresses of machines where inbound SMTP messages arrive. In other words, if you place 192.168.10.10 in this field, only the machine with the IP address of 192.168.10.10 will be able to relay through your Domino server. Wildcards may be uses for multiple machines (e.g., 192.168.10.*).

FIELD: Deny messages from the following external Internet hosts to be sent to external Internet domains:

This field has the opposite effect of the previous field. This means that if you place 192.168.10.10 within this field, that machine will not be able to relay through your Domino server and all other machines will be able to relay.

SECTION: Inbound Connection Controls

FIELD: Verify connecting hostname in DNS:

When this field is enabled, the Domino server performs a reverse DNS lookup on the machine connecting to make sure the IP address has a valid hostname. If not, mail cannot be transferred.

FIELD: Allow connections only from the following SMTP Internet hostnames/IP addresses:

Similar to not allowing messages, you can disallow connections by placing hostnames and/or IP addresses within this field. Again, wildcards can be used. IP addresses should be placed in brackets, e.g., [192.168.10.10].

FIELD: Deny connections from the following SMTP Internet hostnames/IP addresses:

This field has the opposite effect of the prior field.

SECTION: Inbound Sender Controls

FIELD: Verify sender's domain in DNS:

When enabled, the Domino server performs a reverse DNS lookup of the sender's FROM field of the SMTP mail message. If a valid name cannot be found, the message is denied.

FIELD: Allow messages only from the following external Internet addresses/domains:

This field only allows mail from messages matching the MAIL FROM field of SMTP messages. Domains and/or usernames and domains may be used (e.g., slthomas@thomas-consulting.com or Acme.com).

FIELD: Deny messages from the following Internet addresses/domains:

This field has the opposite effect of the previous field.

SECTION: Inbound Intended Recipients Controls

FIELD: Allow messages intended only for the following Internet addresses:

SMTP messages matching the RCPT TO field of SMTP mail messages will only be delivered.

FIELD: Deny messages intended for the following Internet addresses:

This field has the opposite effect of the prior field.

-- Scott L. Thomas, DominoWire Security Tips Technical Editor

Editor's Note: For additional information on this topic, see "Is Your Mail System a Spam Relay?" in the June 2001 issue of Group Computing.
CAN DOMINO BOUNCE SPAM BACK TO THE SENDER?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33570274
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 33572572
What is your router's address? Please make sure your router is not in one of the ranges that are excluded in the SMTP inbound restriction settings.

Another possibility is to set, in the Outbound Sender controls, the "Deny messages from the following Internet addresses to be sent to the Internet" to *

Make sure you restart the Router after each modification.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 33574503
0
 

Author Comment

by:Shakthi777
ID: 33579769
sjef_bosman:

I didn't get following change you requested ? please explain and thanks !

#######
Another possibility is to set, in the Outbound Sender controls, the "Deny messages from the following Internet addresses to be sent to the Internet" to *
#######
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 33581890
Below is an image of that part of the Configuration document. Click and hold the description, you'll see the options.
openrelay.JPG
0
 
LVL 10

Expert Comment

by:doninja
ID: 33586728
To prevent relay on client sites I have generally instigated the following which prevents a lot of relay attempts.

On Configurations settings Inbound SMTP option "Allow messages to be sent only to the following external internet domains:" I have listed all of the company domains that would validly be delivered to.
I also Enable the DNS blacklist option to Log and Reject as this prevents a lot of known spam hosts.
As others have suggested make sure your router or any firewall relay etc is not in your list of hosts that bypass anti relay checks.

If your users all use Lotus notes then this will prevent most relay. If users using SMTP then enable the option "Allow all authenticated users to relay" they will have to set their client to logon to send SMTP mail.

Then as people suggest your Lotus Protector, Spam Sentinel or Kspam works reasonably.
0
 

Author Closing Comment

by:Shakthi777
ID: 33707337
tnx all !
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DAOS - Backup / Restore 2 194
IBM Enterprise Integrator - ZID File 1 174
Lotus Notes - Broken Links report 5 218
DNS error assumed 8 71
Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question