Solved

DOMINO 8.5 huge SPAM issue

Posted on 2010-08-31
11
1,237 Views
Last Modified: 2013-11-17
Hi Experts,

Thousands of emails are relaying daily by outside SPAMMERS on our Domino 8.5 server (RedHat 5.2)

Bellow is my Domino config, can you please help me to track down if plaything wrong here.
Let me know if you need any more screen-shots.

Thanks a lot !
SMTP-inbound-01.jpg
SMTP-inbound-02.jpg
SMTP-outbound.jpg
dilivery-controlls.jpg
Transfer-Controls.jpg
Router-SMTP-Basic.jpg
0
Comment
Question by:Shakthi777
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 4

Expert Comment

by:MtnChick
ID: 33569596
The only thing I've found that truly helps is a spam filter.  I use Spam Sentinel www.maysoft.com and it is a great product at a reasonable cost.  The support staff are extremely helpful too.
0
 

Author Comment

by:Shakthi777
ID: 33569613
below is just a 25% of Mail Routing Events for past hour, server is very slow due to these accesses...
xx/xx/xxxx 09:47:47 PM SMTP Server: 18262a7a.cst.lightpath.net (24.38.42.122) connected
xx/xx/xxxx 09:47:57 PM SMTP Server: 112.135.91.222 disconnected. 0 message[s] received
xx/xx/xxxx 09:48:10 PM SMTP Server: 125.234.239.197.hcm.viettel.vn (125.234.239.197) connected
xx/xx/xxxx 09:48:13 PM SMTP Server: 18262a7a.cst.lightpath.net (24.38.42.122) disconnected. 0 message[s] received
xx/xx/xxxx 09:48:32 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) connected
xx/xx/xxxx 09:48:37 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) connected
xx/xx/xxxx 09:48:57 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:00 PM SMTP Server: 73-42-94-178.pool.ukrtel.net (178.94.42.73) connected
xx/xx/xxxx 09:49:01 PM SMTP Server: 73-42-94-178.pool.ukrtel.net (178.94.42.73) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:03 PM SMTP Server: 125.234.239.197.hcm.viettel.vn (125.234.239.197) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:04 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:06 PM SMTP Server: 61.153.226.54 connected
xx/xx/xxxx 09:49:16 PM SMTP Server: 202.102.44.120 connected
xx/xx/xxxx 09:49:25 PM SMTP Server: 60.191.129.2 connected
xx/xx/xxxx 09:49:37 PM SMTP Server: 61.153.226.54 disconnected. 0 message[s] received
xx/xx/xxxx 09:49:46 PM SMTP Server: smtp2a.orange.fr (80.12.242.140) connected
xx/xx/xxxx 09:49:47 PM SMTP Server: smtp2a.orange.fr (80.12.242.140) disconnected. 0 message[s] received
xx/xx/xxxx 09:49:49 PM SMTP Server: 202.102.44.120 disconnected. 0 message[s] received
xx/xx/xxxx 09:49:56 PM SMTP Server: 60.191.129.2 disconnected. 0 message[s] received
xx/xx/xxxx 09:50:10 PM SMTP Server: 201.238.244.76 connected
xx/xx/xxxx 09:50:18 PM SMTP Server: customer-201-134-185-163.uninet-ide.com.mx (201.134.185.163) disconnected. 0 message[s] received
xx/xx/xxxx 09:50:36 PM SMTP Server: 211.154.141.39 connected
xx/xx/xxxx 09:50:47 PM SMTP Server: 201.238.244.76 disconnected. 0 message[s] received
xx/xx/xxxx 09:51:02 PM SMTP Server: 211.154.141.39 disconnected. 0 message[s] received
xx/xx/xxxx 09:51:52 PM SMTP Server: 112.64.15.218.broad.cz.gd.dynamic.163data.com.cn (218.15.64.112) connected
xx/xx/xxxx 09:51:54 PM SMTP Server: 112.64.15.218.broad.cz.gd.dynamic.163data.com.cn (218.15.64.112) disconnected. 0 message[s] received
xx/xx/xxxx 09:51:56 PM SMTP Server: 202.131.226.205 connected
xx/xx/xxxx 09:52:43 PM SMTP Server: 202.131.226.205 connected
xx/xx/xxxx 09:52:49 PM SMTP Server: 202.131.226.205 disconnected. 0 message[s] received
xx/xx/xxxx 09:53:13 PM SMTP Server: 195.117.61.5 connected
xx/xx/xxxx 09:53:26 PM SMTP Server: 202.131.226.205 disconnected. 0 message[s] received
xx/xx/xxxx 09:53:44 PM SMTP Server: 195.117.61.5 disconnected. 0 message[s] received
xx/xx/xxxx 09:55:31 PM SMTP Server: 201.238.244.76 connected
xx/xx/xxxx 09:56:07 PM SMTP Server: ns.km33633.keymachine.de (87.118.124.187) connected

Open in new window

0
 
LVL 4

Expert Comment

by:MtnChick
ID: 33570170
That's how my server was until I started using spam sentinel.  You can have it blocked from the server or sent to a database.  Plus I get a report everyday and so do my users.  
0
 
LVL 63

Accepted Solution

by:
SysExpert earned 500 total points
ID: 33570262
Prevent Spam Relaying on Your Domino Server
by Scott Thomas

In the past few weeks, I have received several questions from people wondering if it's possible to configure a Domino mail server to control Internet SMTP mail relaying. Ironically, this is one of the first security issues that I investigate on client sites.

I, for one, get several annoying spam e-mails per day. I usually examine those mail headers to try to determine how they are delivered so that I may inform the owners of the open SMTP mail servers. Most times these spammers use free dial-up accounts and then bounce their e- mails off of unlocked e-mail servers. Unfortunately, some of these unlocked servers are indeed Domino servers open for relaying.

I am from the "old school" of SMTP mail routing, and I like to use Unix servers running Sendmail on the Internet while my Domino servers are placed securely behind a network firewall. I then have all my Domino servers route through these Unix boxes. Sendmail is configured not to allow relaying and routes appropriate inbound SMTP mail to my company.

Probably the main reason I like the above configuration is the fact that prior to R5 of Domino, preventing SMTP relaying was somewhat difficult to control. Now with R5, it is possible to configure a Domino server to perform in the manner explained above using Sendmail on Unix machines. These SMTP relay controls can be found and configured in the Domino configuration document in the Domino Directory.

The SMTP Inbound Controls tab is the section we will examine. Many of these fields appear to perform the same functions. However, examine the headings of each section to understand how matching criteria is determined. Some sections perform relaying controls via connections, some by sending controls, and some by SMTP fields.

SECTION: Inbound Relay Controls

FIELD: Allow messages from external Internet domains to be sent only to the following Internet domains:

This field sets the Internet domains to which your system relays messages sent by hosts outside the local Internet domain. If your mail domain is Acme.com and you wish to accept mail from external SMTP users destined to Acmetoo.com, then place Acmetoo.com within this field. As a result, e-mail will traverse from a local SMTP mail client to your Domino server, then to Acmetoo.com's mail server. All other SMTP mail domains will be denied. It is important that if your Domino server will be sitting on the Internet routing inbound SMTP mail, you should at least place your Internet domain within this field. If left blank, all SMTP mail can be relayed through the server.

FIELD: Deny messages from external Internet domains to be sent to the following Internet domains:
This field will rarely be used, but it has the opposite effect of the above said field. In other words, if you place Acmetoo.com in this field, all SMTP domains can relay through your server except Acmetoo.com.

FIELD: Allow messages only from the following external Internet hosts to be sent to external Internet domains:

Within this field, you can place the hostnames and/or the IP addresses of machines where inbound SMTP messages arrive. In other words, if you place 192.168.10.10 in this field, only the machine with the IP address of 192.168.10.10 will be able to relay through your Domino server. Wildcards may be uses for multiple machines (e.g., 192.168.10.*).

FIELD: Deny messages from the following external Internet hosts to be sent to external Internet domains:

This field has the opposite effect of the previous field. This means that if you place 192.168.10.10 within this field, that machine will not be able to relay through your Domino server and all other machines will be able to relay.

SECTION: Inbound Connection Controls

FIELD: Verify connecting hostname in DNS:

When this field is enabled, the Domino server performs a reverse DNS lookup on the machine connecting to make sure the IP address has a valid hostname. If not, mail cannot be transferred.

FIELD: Allow connections only from the following SMTP Internet hostnames/IP addresses:

Similar to not allowing messages, you can disallow connections by placing hostnames and/or IP addresses within this field. Again, wildcards can be used. IP addresses should be placed in brackets, e.g., [192.168.10.10].

FIELD: Deny connections from the following SMTP Internet hostnames/IP addresses:

This field has the opposite effect of the prior field.

SECTION: Inbound Sender Controls

FIELD: Verify sender's domain in DNS:

When enabled, the Domino server performs a reverse DNS lookup of the sender's FROM field of the SMTP mail message. If a valid name cannot be found, the message is denied.

FIELD: Allow messages only from the following external Internet addresses/domains:

This field only allows mail from messages matching the MAIL FROM field of SMTP messages. Domains and/or usernames and domains may be used (e.g., slthomas@thomas-consulting.com or Acme.com).

FIELD: Deny messages from the following Internet addresses/domains:

This field has the opposite effect of the previous field.

SECTION: Inbound Intended Recipients Controls

FIELD: Allow messages intended only for the following Internet addresses:

SMTP messages matching the RCPT TO field of SMTP mail messages will only be delivered.

FIELD: Deny messages intended for the following Internet addresses:

This field has the opposite effect of the prior field.

-- Scott L. Thomas, DominoWire Security Tips Technical Editor

Editor's Note: For additional information on this topic, see "Is Your Mail System a Spam Relay?" in the June 2001 issue of Group Computing.
CAN DOMINO BOUNCE SPAM BACK TO THE SENDER?
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 33570274
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 33572572
What is your router's address? Please make sure your router is not in one of the ranges that are excluded in the SMTP inbound restriction settings.

Another possibility is to set, in the Outbound Sender controls, the "Deny messages from the following Internet addresses to be sent to the Internet" to *

Make sure you restart the Router after each modification.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 33574503
0
 

Author Comment

by:Shakthi777
ID: 33579769
sjef_bosman:

I didn't get following change you requested ? please explain and thanks !

#######
Another possibility is to set, in the Outbound Sender controls, the "Deny messages from the following Internet addresses to be sent to the Internet" to *
#######
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 33581890
Below is an image of that part of the Configuration document. Click and hold the description, you'll see the options.
openrelay.JPG
0
 
LVL 10

Expert Comment

by:doninja
ID: 33586728
To prevent relay on client sites I have generally instigated the following which prevents a lot of relay attempts.

On Configurations settings Inbound SMTP option "Allow messages to be sent only to the following external internet domains:" I have listed all of the company domains that would validly be delivered to.
I also Enable the DNS blacklist option to Log and Reject as this prevents a lot of known spam hosts.
As others have suggested make sure your router or any firewall relay etc is not in your list of hosts that bypass anti relay checks.

If your users all use Lotus notes then this will prevent most relay. If users using SMTP then enable the option "Allow all authenticated users to relay" they will have to set their client to logon to send SMTP mail.

Then as people suggest your Lotus Protector, Spam Sentinel or Kspam works reasonably.
0
 

Author Closing Comment

by:Shakthi777
ID: 33707337
tnx all !
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

For users on the Lotus Notes 8 Standard client, this article provides information on checking the Java Heap size and adjusting it to half of your system RAM in attempt to get the Lotus Notes 8.x Standard client to run faster.  I've had to exercise t…
You’ve got a lotus Domino web server, and you have been told that “leverage browser caching” is a must do. This means that we have to tell the browser everywhere in the web to use cache. In other words, we set (and send) an expiration date in the HT…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now