# Is that possible??? - someone using my smtp



## NuLL3rr0r (Mar 23, 2010)

Hi Folks,

I'm not sure this is right place to post this, but since I'm suspecting maybe this is related to BIND's miss configuration I'll post it here. I apologize if this is wrong place.


Last night I received a ticket from my ISP (They're using giga-international servers in Germany) that says (It's quoted from giga):



> We have received complaints about your server, specifically about the IP-address
> 91.194.91.7, assigned to the server 6035 (main IP: 91.194.91.75). Please see the
> forwarded e-mail below for more details. Apparently, your server is used for
> distributing SPAM, which is strictly forbidden by our ToS.




It seems theres a message from davidkm092@gmail.com or davidkim189@gmail.com that they claim he sends his message from my IP (I swear I've never heard of him).

The most important note is no one has any kind of access to my VPS except myself.


I suspect:
1. My bind configuration or any other thing has problem
2. giga-international made a mistake


In case one, this is my configuration:

```
[url=http://forums.freebsd.org/showthread.php?t=10593]http://forums.freebsd.org/showthread.php?t=10593[/URL]
```


And for sendmail:

 /etc/mail/access

```
babaei.net              RELAY
3rr0r.babaei.net        RELAY
91.194.91.7             RELAY
127.0.0.1               RELAY
localhost               RELAY
```

 /etc/mail/local-host-names

```
babaei.net
3rr0r.babaei.net
91.194.91.7
127.0.0.1
localhost
```

 /etc/mail/virtusertable

```
ace.of.zerosync@gmail.com       root
```


Am I doing something wrong??

If so, Is there anyway to hardening them??



Thanks in Advance.


And this is the full ticket including the spam message with headers:



> Dear Mr Yarmohammadi,
> dear Mr Aryafar,
> 
> We have received complaints about your server, specifically about the IP-address
> ...


----------



## NuLL3rr0r (Mar 23, 2010)

Sorry, but I forget to mention, in the header of the spam message there is no evidence of 91.194.91.7 (my VPS IP). Is this related??


----------



## SirDice (Mar 23, 2010)

NuLL3rr0r said:
			
		

> Sorry, but I forget to mention, in the header of the spam message there is no evidence of 91.194.91.7 (my VPS IP). Is this related??



There is, at least close enough.

```
Received: from power.hostjewelry.info (power.hostjewelry.info [91.194.91.5]) by mx0.netcologne.de (Postfix) with ESMTP id BCBBF6200AD for 
<dietmar.braun@netcologne.de>; Sat, 20 Mar 2010 17:24:52 +0100 (CET)
Received: from vc-41-27-237-84.umts.vodacom.co.za ([41.27.237.84] helo=User) by power.hostjewelry.info with esmtpa (Exim 4.69) (envelope-from 
<davidkm092@gmail.com>) id 1Nt1Pw-00032L-7F; Sat, 20 Mar 2010 09:20:53 -0700
```

The IP 41.27.237.84 is relaying mail through the mail server at 91.194.91.5. Which is very close to your IP. However if you're not assigned that IP address it must be someone else on the same host. Perhaps a different VSP client.


----------



## DutchDaemon (Mar 23, 2010)

It appears to be an open Exim relay at power.hostjewelry.info [91.194.91.5], but my relay attempt failed.


```
$ telnet power.hostjewelry.info 25
Trying 91.194.91.5...
Connected to power.hostjewelry.info.
Escape character is '^]'.
220-power.hostjewelry.info ESMTP Exim 4.69 #1 Tue, 23 Mar 2010 04:28:55 -0700 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
EHLO test.domain.com
250-power.hostjewelry.info Hello test.domain.com [ip redacted]
250-SIZE 52428800
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
MAIL FROM:<user@domain.com>
250 OK
RCPT TO:<user@domain.com>
550-(test.domain.com) [ip redacted] is currently not permitted to relay
550-through this server. Perhaps you have not logged into the pop/imap server
550-in the last 30 minutes or do not have SMTP Authentication turned on in your
550 email client.
quit
221 power.hostjewelry.info closing connection
Connection closed by foreign host.
```

This may be matter of someone who got hold of SMTP AUTH data, or POP3/IMAP account data on that server, making relaying possible.

If this host (power.hostjewelry.info [91.194.91.5]) doesn't belong to you, I have no idea why they're complaining to you.


----------



## NuLL3rr0r (Mar 24, 2010)

Thank you guys for your tips.

I already sent them these tips plus all of my reasons. Now I'm waiting for their answer.


If they suspend my VPS or claim their "30.00 EUR reactivation fee" I'll go with RootBSD.




> If this host (power.hostjewelry.info [91.194.91.5]) doesn't belong to you, I have no idea why they're complaining to you.




Well, as long as I know for absolutely no reason they surcharge their customers.

http://www.webhostingtalk.com/showthread.php?t=684780


> I sent a newsletter to all my member as a have a community site and Giga contacted me and said that I am a spammer and that they will suspend my server and I need to pay 30 â‚¬ to activate it (!)
> 
> I changed hosting company (obvious reasons) and I just left the chat on one of their servers as I had 3 server there. Now they say that they want to cancel my paid server becouse I am a spammer. *How did they decide that I spammed anybody? A former member gave a complaint to them for reciving the newsletter and that is all they needed.
> Enough said.*




Or just look at this post on this Persian forum (The original email from giga in english is included). They claimed that this customer used "the ip address of a high important infrastructure server", but the truth is he did not!! he touches nothing.




> Dear Mr *****,
> 
> We are terribly sorry to inform you, that we were forced to suspend your
> colo-server with the main-ip 93.104.208.83 without prior notification.
> ...




Sorry! I did not want to represent giga like this, but I've only seen this kind of weird things from them.


----------



## NuLL3rr0r (Jan 4, 2011)

I enabled SMTP Authentication using this excellent guide at FreeBSD's handbook.

```
[url=http://www.freebsd.org/doc/handbook/smtp-auth.html]http://www.freebsd.org/doc/handbook/smtp-auth.html[/URL]
```


----------

