Re: [exim] open relay aftermath

Top Page
Delete this message
Reply to this message
Author: Matthias-Christian Ott
Date:  
To: exim-users
Subject: Re: [exim] open relay aftermath
On Sun, Feb 13, 2011 at 09:33:48PM +0000, Dave Evans wrote:
> On Sun, Feb 13, 2011 at 05:53:53PM +0100, Matthias-Christian Ott wrote:
> > Hi,
> >
> > lately I turned my SMTP server into an open relay
> >
> > Luckily, nearly all of the E-mails which were left in the queue went to
> > yahoo.com.tw, so I found that I'm not blacklisted at popular
> > blackslists. I temporarily reject all SMTP traffic to the main server
> > (except from the relays), so that all E-Mails are forwared to the main
> > server from my backup relays. I Expect that the main server goes back to
> > normal in a few days.
>
> I don't think you've said why it's not back to normal already.


My theory was that one the control server notices that the relay
is closed it will delegate its bots to the next one and leave
me alone. As far as I can tell by now this doesn't seem to happen
(they keep sending e-mail although they get rejected). The good news
though is that I made a reading error and I received only 1.8 GiB and
not 18 GiB traffic within that last day. So even if it's true that
they won't stop once they started (as suggest in another e-mail),
the impact is not as bad as I initially thought.

> > Do you have any advice for what I should do additionally to ensure that
> > this configuration mistake has no further consequences (like being
> > blacklisted, rejected etc.)?
>
> Fix the configuration error. Remove the spam from your queue. That will stop
> you sending any more spam of this type, so although you can't guarantee that
> there will be no further consequences, at least whatever consequences there
> may be are out of your control anyway - you will have done what you could.
>
> Normally I would assume you've done that already, but maybe not (see my first
> paragraph).
>
> As for other knock-on effects (e.g. incoming bandwidth use): move IPs, if you
> can (you can probably switch IPs and DNS faster than the spammers will
> notice). Block, temporarily or otherwise, the incoming spam connections as
> far upstream as you can.


I already asked about additional IP addresses, but the hosting provider
refused and wanted me to upgrade to a bigger contract which includes
more IPs and I guess I can't tell them that I want to return an IP
address which hosted a relay once.

> Add monitoring so that if you ever make that configuration error again, you'll
> know sooner. Add something based on rate-limits so that if it happens again,
> the system can autonomously take some sort of preventative action.


I'll probably do that. It should be easily to implement.

Regards,
Matthias-Christian