Open relay test message sent from server

[LadySlinger]

The other day I noticed this in our email filter software:

This is a test message to check for open mail relay servers.

You are probably receiving this message as the Postmaster of a mail server.
We tried to relay a message through your mail server; because you are
reading this message, your mail server probably did not relay the message,
which is good.
If this message does not reach the recipient stated in the header, your
mail server is not an open relay.

##
## RUN=2007542004.28614
## HOST=24.172.186.75
## FROM=<olle@localhost>
## TO=<juniks.net!olle>
## REQ=
## KEY=d96df9ae31e81f9a57b912963b0ee98b

It was sent from olle@localhost to juniks.net!olle.

I ran HiJackThis and according to there site there is nothing out of the ordinary. Is there anything else I can use to make sure that there isn't anything going on? all ports are locked down on that server except for SMTP and the only server that is allowed to relay through that machine is our email server. The server is a windows 2003 server standard.

 

[chiph]

Sounds like you've made a good start.
I would also make sure your OS and SMTP server are patched up.

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[LadySlinger]

Thanks, the server just updated itself, but I'll manually double check.

 

[LadySlinger]

Huh, it happened again today. This time there were 12 emails.
In groups of four they came from:

olle@[127.0.0.1]
olle@[Our outside IP]
olle@mail.ourdomain.com
olle@localhost

They were all Outbound emails.

Ummm...I'm worried?!

 

[sleipnir214]

It sounds to me like someone is probing your mail server.

There are any one of a number of sites out there that will test your mail server to see whether it is an open relay, and someone is using an open relay tester against your server.

The SMTP headers on the message should tell you from what IP address the message originated, and a quick check at the whois are

http://www.arin.net

will tell you to whom the block of addresses containing that IP address is registered.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[LadySlinger]

Thanks I found them in the Drop folder and the IP returned an anti-spam company in Sweden. Apparently their purpose is to test/check servers for relay possibilities.

 

[sleipnir214]

Then someone is using that service to probe your server. If the open relay test failed, I wouldn't worry about it.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[sleipnir214]

Wait. Change "If the open relay test failed" to read, "Since your server apparently is tested as NOT being an open relay,"



One thing you might try....

I once several years ago came across an antispam open relay testing service that would, once your server had been signed up, periodically retest your server.

If the site in Sweden works the same way, you might try poking around on the site and see if there's a way to get your server removed from any restest lists.



Want the best answers? Ask the best questions! TANSTAAFL!

 

[LadySlinger]

OK since the site was all in Swedish and i do not speak Swedish (and only high school German from 12 years ago) I just found the Contact Us page, filled out the form and sent it in.

The funny thing was when I just copied and pasted the IP from the email, I received a web page that just says "It Works!". I don't believe there were any other scripts though :\ The source code was just HTML.

 

[sleipnir214]

The Apache web server has a default "It Works!" page when it's first set up...



Want the best answers? Ask the best questions! TANSTAAFL!