GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Connect » Do I have a security breach? (Weird sender or possible relay)
Do I have a security breach? [message #129412] Thu, 05 May 2016 02:06 Go to next message
Gaby is currently offline  Gaby
Messages: 34
Registered: March 2010
Checking the queue in Kerio Connect I noticed a weird thing: the sender showed <>.

Checking the debug file I noticed something that i suspect it may be an intent of relay using my mail server. Check out the following, particularily the first line

[04/May/2016 20:12:54][4444] {smtpc} Sending email to SMTP server mx01.mail.de, delivering mail from <>
[04/May/2016 20:12:55][4444] {smtpc} Connecting to 213.128.151.210 (mx01.mail.de) using local interface 0.0.0.0...
[04/May/2016 20:12:55][4444] {smtpc} Connected to mx01.mail.de
[04/May/2016 20:12:55][4444] {smtpc} Received greeting: 220 mx01.mail.de ESMTP eXpurgate 4.0.10
[04/May/2016 20:12:55][4444] {smtpc} Sending EHLO
[04/May/2016 20:12:56][4444] {smtpc} Switching connection to TLS
[04/May/2016 20:12:57][4444] {smtpc} Sending EHLO
[04/May/2016 20:12:57][4444] {smtpc} Sent MAIL command
[04/May/2016 20:12:57][4444] {smtpc} Got reply: 250 OK
[04/May/2016 20:12:57][4444] {smtpc} Sent RCPT TO: <SkinnerRosalinda51596<_at_>trash-email.de>
[04/May/2016 20:12:58][4444] {smtpc} Got reply: 250 OK
[04/May/2016 20:12:58][4444] {smtpc} Sent DATA command
[04/May/2016 20:12:58][4444] {smtpc} Got reply: 354 End data with <CR><LF>.<CR><LF>
[04/May/2016 20:12:58][4444] {smtpc} Sending message body...
[04/May/2016 20:12:58][4444] {smtpc} Data sent, got reply: 450 4.7.1 <SkinnerRosalinda51596<_at_>trash-email.de>: Relay access denied
[04/May/2016 20:12:58][4444] {smtpc} Data not accepted: 450 4.7.1 <SkinnerRosalinda51596<_at_>trash-email.de>: Relay access denied
[04/May/2016 20:12:59][4444] {smtpc} QUIT sent, got reply: 221 Bye
[04/May/2016 20:12:59][4444] {smtpc} Delivery to other mx servers was skipped.

I can't fully understand what is going on, but seems that someone called <> is trying to send a message through my server. Can it be?

Thanks in advance

Report message to a moderator

Re: Do I have a security breach? [message #129418 is a reply to message #129412] Thu, 05 May 2016 18:14 Go to previous message
Bud Durland is currently offline  Bud Durland
Messages: 586
Registered: December 2013
Location: Plattsburgh, NY
Since the "from" is empty ("<>"), this is probably backscatter. Wiki link. The server will give up trying to deliver it after a certain period and will delete the message.

Had there been a real address in the from value, that might indicate a compromised user account.

Report message to a moderator

Previous Topic: Whitelist IP no longer working
Next Topic: How to make sure that ALL local messages are on the server
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Sun May 28 23:57:27 CEST 2023

Total time taken to generate the page: 0.05405 seconds
.:: Contact :: Home :: Acceptable Use Policy ::.

Powered by: FUDforum 3.0.9.
Copyright ©2001-2022 FUDforum Bulletin Board Software