Wednesday, 9. June 2004
PermaLink More on that Domino relay
Last week, I reported an apparently open Domino 6.0.1 relay which passes conventional relay testing (i.e. does not appear to permit relay).

A number of hypotheses were put forward regarding how this might have been achieved, for example:

  • Certain sending IPs had been explicitly permitted relay - this can be discounted because of the very large number of distinct source IPs in many countries and generally assigned to cable/DSL dynamically assigned pools; a somewhat odd choice of IPs from which to have permitted unrestricted relay and very difficult to administer...
  • Spams were forged bounces where the local victim was a non-existent address and the apparent sender (either envelope MAIL FROM or else header "from") was some innocent bystander who thus received the spam as an NDR - of course this is possible, but the spams we have been receiving are not NDRs.

But this last suggestion got me to thinking - if the email doesn't look like a relay (i.e. is addressed to a "local" recipient), then the Domino server will accept it - but what if that recipient is not in fact local?

And here, I think, we have our answer. It transpires that the company in question is one we have worked with in the past and I suspect that, to facilitate this collaboration, the administrator there has created a group or groups containing the email addresses of parties involved in aspects of that collaboration. The spammers have just got lucky in that they have obtained the email addresses of those groups and are using them in direct-to-MX spam runs from trojaned proxy servers. When this Domino server receives spams addressed to these local groups, the members of which are not local, it simply reflects the email back out to every member of the group in question.

I tested this by simulating it on a server here and the test email that I sent to a local group was indeed sent out to the non-local member of that group (my own Yahoo! mail account) with headers that look exactly like the headers of the spams we have been receiving from the "compromised" host in India.

So the good news is that there is no new vulnerability in Domino. The bad news is that sites using groups to reflect email to non-local recipients (something we do ourselves in fact) will probably have to rethink this strategy.

Category: Domino: Administration
Technorati:

Comments :
None yet...
Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Popular Categories
Blogs
Coffee and Cats
Computing Systems Fundamentals
DNSBLs
Domino Administration
Domino Whitelist
Dumb and Dumber
Flickr
IPv6
SMTP AUTH
Show n Tell
Software
Spam
Spam Statistics
T'Internet
Trunk Monkeys
Viruses and Worms
Wallace and Gromit
Whitelisting
Wii
Monthly Archive
2008
2008
2008
2008
2008
2008
Full Archive
Other stuff
Anti-Spam Tools
Misc Links
Land banking information
ClustrMaps
Locations of visitors to this page
Meta
Proudly powered by IBM Lotus Domino 8 Proudly powered by IBM Lotus Domino 8

Subscribe to articles Subscribe to articles feed

Subscribe to comments Subscribe to comments feed

ROR info ROR info

Like what I do?
Then please consider a donation to support the work of Research Autism.

Idea Jam
Planet Lotus
Contact Me
email - Chris Linfoot