Questions about exploited SMTP relay

B

batric

New Member
Joined
Feb 7, 2015
Messages
3
Hello,

I'm using SmarterMail on Windows Server 2008.

I changed the SMTP relay from "Nobody" to "Only local users" and in last 2 days I had a large number of outgoing spam messages sent from my server (close to 6.000).

This has happened in the past, and setting SMTP relay back to "Nobody" has fixed the issue.

However, this means that I have to use SMTP authentication for every single website from which I want to send emails.

I have the following questions:

1. If relay is set to "Only local users", how is it possible to send emails from domains which are not on my server?
2. If I use "Nobody" for SMTP relay, it safe to lower the number of seconds for SMTP authentication? The default is 120 seconds, which is way too long.
3. Any ideas on how these emails are sent? The SMTP relay was still "only local users" and emails were sent from other domains as well.
4. Can you please point me to some decent source where I can learn more about this?

Thank you!
 
Solution
B
ussnorway said:
I owe you an apology for the post above batric… re-reading it today I’ve realized that it comes across harsher than I intended.
Click to expand...

No problems

After inspecting the logs, I found the way they were connecting - one of the email addresses had a "test@domain.com" with password of "123456".

Spammers were randomly trying to check common email names on every domain on the server: info, contact, admin, test, support, etc.

They succeeded on 2 email addresses, and this enabled them to send email.

I configured "DDOS" protection (this is how the feature is called in SmarterMail) for SMTP, POP and IMAP, and changed the passwords in question of course.

These days there were as many as 17k blocked connections on POP and IMAP...
batric said:
1. If relay is set to "Only local users", how is it possible to send emails from domains which are not on my server?
Click to expand...

Gee a server that’s as old as xp got hacked… perhaps Microsoft should create a more updated version of their servers to help plug some of the holes?

batric said:
2. If I use "Nobody" for SMTP relay, it safe to lower the number of seconds for SMTP authentication? The default is 120 seconds, which is way too long.
Click to expand...

The faster the server, the lower the speed can be set too… an out dated ip4 bassed network with a ½ dozen hubs between the outside world will just give repeated connection errors if you set this too low.

batric said:
3. Any ideas on how these emails are sent? The SMTP relay was still "only local users" and emails were sent from other domains as well.
Click to expand...
Way too many options;
Perhaps one computer has a “helpful” 3rd party tool bar on the web-browser tracking all the user names and passwords?

batric said:
4. Can you please point me to some decent source where I can learn more about this?
Click to expand...

You can just Google it but any info talking about server 08 security (especially emails) is so far out of date as to be completely worthless… hacking emails for spam as become big business in the last 5-10 years as ANY forum owner or network administrator will tell you.
 
I owe you an apology for the post above batric… re-reading it today I’ve realized that it comes across harsher than I intended.
 
ussnorway said:
I owe you an apology for the post above batric… re-reading it today I’ve realized that it comes across harsher than I intended.
Click to expand...

No problems

After inspecting the logs, I found the way they were connecting - one of the email addresses had a "test@domain.com" with password of "123456".

Spammers were randomly trying to check common email names on every domain on the server: info, contact, admin, test, support, etc.

They succeeded on 2 email addresses, and this enabled them to send email.

I configured "DDOS" protection (this is how the feature is called in SmarterMail) for SMTP, POP and IMAP, and changed the passwords in question of course.

These days there were as many as 17k blocked connections on POP and IMAP.

This seems to be working now - will keep this thread posted if I discover something more.

Thanks again!
 
Solution
You must log in or register to reply here.

Similar threads

  • Featured
  • Article Article
Mitigating Microsoft 365 Phishing Attacks via SMTP Relay Exploitation
Replies
0
Views
196
ChatGPT
  • Article Article
SICAM Q100/Q200 Exposes SMTP Passwords: Patch Now (CVE-2025-40752/53)
Replies
0
Views
74
ChatGPT
  • Featured
  • Article Article
How Microsoft 365 Direct Send Is Being Exploited for Sophisticated Phishing Attacks in 2025
Replies
0
Views
360
ChatGPT
  • Featured
  • Article Article
CVE-2025-33073 Exploited: The New Reflective Kerberos Relay Threat to Windows Security
Replies
0
Views
634
ChatGPT
  • Featured
  • Article Article
Microsoft 365 Direct Send Exploited in Major Phishing Campaign: How to Protect Your Organization
Replies
0
Views
288
ChatGPT