Try something like this:
H, "[EHeh][EHeh]LO normie.com*", R, "554 Illegal HELO, connection refused."
/Rolf
Hello all.
Here is an interesting problem I am facing right now and affects my "Admin" account for Merc/32. There have been a fair number of boucning e-mails for which I receive notification to the Admin mailbox (see example below). In reading the entries, it appears that the message is orginating from the Admin account itself and is trying to send specially-crafted messages to bunches of addresses. One problem: I am certainly NOT sending them! As well, my server has no relaying whatsoever turned on. I'm worried that the server itself (or at least the Admin account) has been compromised in some way I haven't been able to detect. I am not seeing any unusual access or activity on the firewall nor the IPS and the Admin password has been changed several times in the last month.
Any thoughts? Ruminations? Comments? :-)
If need be, please reply directly to normang at normie.com and I'll post a fix if I get one.
Thank you in advance.
-Norman
Message from Admin account:
--------------------------------------------------------------
This is a delivery status message from the electronic mail server at
normie.com. A message appearing to originate from your address
has been delayed during delivery.
Message details:
------------------------------------------------------------------
Originally submitted: 27 Dec 07, 9:16:42
Originator address: admin@normie.com
Message's subject: ¾î·Á¿î¶§Àϼö·Ï Èû³»¼¼¿ä! ÀúÀÌÀ²·Î µµ¿òÀ̵ǰڽÀ´Ï´Ù30585
Message's ID: <A7D650A57295@normie.com>
After 3 hours, the following addresses had delivery problems:
chphyuns@yahoo.co.kr [Temporary failure - still trying to deliver]
wnqn21@yahoo.co.kr [Temporary failure - still trying to deliver]
kbshon47@yahoo.co.kr [Temporary failure - still trying to deliver]
wodyd557@yahoo.co.kr [Temporary failure - still trying to deliver]
forfashs2000@yahoo.co.kr [Temporary failure - still trying to deliver]
The server will continue to attempt to deliver your message to any
addresses showing temporary errors. You do not need to take any
further action at this time - this message is for your information
only.
How have you turned relaying off? You *must* ensure that the top two checkboxes in MercuryS/Connection control are ticked or else your machine can be used for relaying. Turn on logging and check your logs.
Also run a scan on the machine and all other network computers.
Check the log files for outgoing SMTP to see if there are any unknown messages sent with your admin account as sender. If not it's probably just someone using your mail address as faked sender in their spam.
/Rolf
Yup. Relaying turned off correctly (never had this problem before....) - even had an outside service check it.
Logs don't seem to give much. I can't seem to correlate the "outbound" messages with a particular connection source.
-Norm
This is the first time I've had messages with forged headers like this. It's a little weird that Mercury reports the messages via a failed attempt to deliver....
Is there an entry I can make in the TRAMSFLT.MER that can check if the HELO or EHLO is right? I'm seeing log entrie like the following:
T 20080101 000733 4748f9ec Connection from 123.111.206.91
T 20080101 000733 4748f9ec HELO normie.com
T 20080101 000733 4748f9ec MAIL From: <admin@normie.com>
If it WAS from me, it wouldn't have my own domain as HELO, no?
-N
