Jump to content


Photo

Spammers Found Loophole. Need to close it. Help.


  • This topic is locked This topic is locked
13 replies to this topic

#1 bkurek

bkurek
  • Members
  • 2 posts

Posted 28 February 2007 - 04:52 PM

In DNS I have two A records. The first being mail.domain.com and the second being barracuda.domain.com. My MX records point to barracuda first and mail second. This was in case barracuda blew up I would still deliver mail to exchnage 2003. The spammers are now sending mail to user@mail.domain.com bypassing the barracuda. Any suggestions on how to close this loophole i've created? I still need to maintain mail.domain.com for owa, pda and remote outlook access. I have some ideas but I'd like to hear what anyone else thinks. Thanks.

#2 pejacoby

pejacoby
  • Members
  • 1,822 posts

Posted 28 February 2007 - 05:30 PM

Never provide spammers with a path that bypasses your anti-spam system. This includes extra MX records and servers with port 25 open to the world, whether they are in DNS or not. You can't hide by not listing yourself in DNS.Drop your secondary MX record, or change it to point to your Barracuda.Firewall off your Exchange server. At a minimum don't allow inbound SMTP (25/TCP).If the Barracuda blows up, then and only then change your firewall rules to allow direct mail to Exchange, and point your MX record there.If an exploding Cuda is a big concern, buy a second one and cluster them, set two MX records pointing to them, and breathe easy ;-)

#3 gsteeley

gsteeley
  • Members
  • 7 posts

Posted 01 March 2007 - 08:52 AM

We have a similar setup - one MX points to Barracuda and second to my old SMTP gateway, which doesn't filter for spam but which I keep for backup if I have to replace the Barracuda. At the firewall I allow port 25 traffic to the Barracuda but block it to the old gateway - the one time my Barracuda died on me, it just took a minute to change the firewall rules to get email working again.

#4 andrewgreene

andrewgreene
  • Members
  • 31 posts

Posted 01 March 2007 - 04:44 PM

At my previous job we had 2 names in the MX record, the Barracuda and then the mail server. Initially my thinking was that it'd just go to the Barracuda first, then in case of emergency, flip over to the mail server. We started getting a ton of spam. After I eliminated the other MX entry for the mail server, spam virtually stopped, except for the nagging messages that still get through.Ideally what you'd do is kill external SMTP access at the network level for everything that's not the Barracuda. For your remote users you could do a couple of things like switch them to IMAP or (my personal favorite) implement RPC over HTTP if you're using Exchange 2003 on Windows 2003 on the server and Outlook 2003 on the client. That setup did wonders for me.

#5 matcomm

matcomm
  • Members
  • 3 posts

Posted 06 April 2007 - 08:43 AM

We have a Barracuda 400 at our primary location, and a backup MX running Ubuntu Linux in a separate physical office.We have the Linux machine configured to accept mail for all the same domains for which the Barracuda is configured. It is configured to forward all mail IT receives to the WAN IP of the Barracuda.So, in this configuration, if our Barracuda goes down, mail gets queued up on the Linux box until we get the Barracuda fixed/replaced.From a spamming perspective, when spammers send mail to our backup MX, it gets forwarded to the Barracuda anyway so it still gets filtered.The only spam prevention measure i have configured on the Linux box is to check the sbl-xbl.spamhaus.org blacklists.It's working pretty well for us so far. About 10% of all messages we receive come from the backup MX. And of course MOST of those are spam since spammers are trying to bypass filtering by going to the backup MX.

#6 galix

galix
  • Members
  • 74 posts

Posted 06 April 2007 - 09:40 AM

Speak to your ISP and ask them if possible to host the secondary MX on a queuing only mail server at their premises and point the secondary to them. This way if the Barracuda is broken, update your DNS for the primary MX and just ask your ISP to update their DNS cache for your domain and you won't have to wait for DNS propagation. Pointing the secondary to your mail server and then blocking port 25 on your firewall is bad idea in general. The spammers in many cases send spam to your lowest MX as a first choice. Anyway the ideal situation would be to have 2 Barracudas but that is not always financially viable.

#7 punkki

punkki
  • Members
  • 549 posts

Posted 06 April 2007 - 12:51 PM

Speak to your ISP and ask them if possible to host the secondary MX on a queuing only mail server at their premises and point the secondary to them. This way if the Barracuda is broken, update your DNS for the primary MX and just ask your ISP to update their DNS cache for your domain and you won't have to wait for DNS propagation.

If you have the ISP's MTA as a secondary MX you really don't need to update the DNS if the primary goes down: legit mail hosts will try the secondary if the primary is down. Problem with this scenario is NDRs: the ISP probably don't know which addresses are valid, so it accepts everything. When the 'cuda comes on-line, it doesn't accept mail to non-existing addresses -> NDR is generated. Not a good thing.

Pointing the secondary to your mail server and then blocking port 25 on your firewall is bad idea in general. The spammers in many cases send spam to your lowest MX as a first choice.

Well that isn't really any problem, since if the port 25 to anything else than the 'cuda is blocked, the spammers can try all they want, they won't be successful. Why it is not desirable to let the sender to queue the messages? They'll get delivered when the cuda gets on-line. This also means that much of the spam that would be queued with secondary-mx situation wouldn't arrive at all.

#8 galix

galix
  • Members
  • 74 posts

Posted 06 April 2007 - 06:07 PM

Speak to your ISP and ask them if possible to host the secondary MX on a queuing only mail server at their premises and point the secondary to them. This way if the Barracuda is broken, update your DNS for the primary MX and just ask your ISP to update their DNS cache for your domain and you won't have to wait for DNS propagation.

If you have the ISP's MTA as a secondary MX you really don't need to update the DNS if the primary goes down: legit mail hosts will try the secondary if the primary is down. Problem with this scenario is NDRs: the ISP probably don't know which addresses are valid, so it accepts everything. When the 'cuda comes on-line, it doesn't accept mail to non-existing addresses -> NDR is generated. Not a good thing.You do need to update the DNS for the primary (instead of the Barracuda, directly to the mail server), so the secondary knows where to deliver the queued messages. And NDR will be generated even if someone tries to send to non-existent receipient straight to the Barracuda, so there will be no difference in this case. The only thing is that you might want to exclude the secondary MX from the rate control.

Pointing the secondary to your mail server and then blocking port 25 on your firewall is bad idea in general. The spammers in many cases send spam to your lowest MX as a first choice.

Well that isn't really any problem, since if the port 25 to anything else than the 'cuda is blocked, the spammers can try all they want, they won't be successful. Why it is not desirable to let the sender to queue the messages? They'll get delivered when the cuda gets on-line. This also means that much of the spam that would be queued with secondary-mx situation wouldn't arrive at all.

If port 25 is blocked to anything else but the Barracuda and the Barracuda suddenly breaks at night, who is going to wake up to change the settings on the firewall? And the messages might queue at the senders but they will generate delayed delivery messages from the senders mail servers to the senders e-mails and there will be many questions going around of "why did I get this notification" and so on. Based on the best practices configuration you must have at least 2 MX records available all the time. One of them might be down for short period due to some failure but blocking it permanently is not a good practice and there is no reason for "cheating" the spammers like that.

#9 Cuda Admin

Cuda Admin
  • Members
  • 341 posts

Posted 07 April 2007 - 08:15 PM

If port 25 is blocked to anything else but the Barracuda and the Barracuda suddenly breaks at night, who is going to wake up to change the settings on the firewall?

No one in our shop. Someone running an MTA these days does not retry for at 48 hours deserves not to have their email delivered.

#10 galix

galix
  • Members
  • 74 posts

Posted 09 April 2007 - 08:01 PM

If port 25 is blocked to anything else but the Barracuda and the Barracuda suddenly breaks at night, who is going to wake up to change the settings on the firewall?

No one in our shop. Someone running an MTA these days does not retry for at 48 hours deserves not to have their email delivered.

Yes but the senders will start getting nasty notifications only after and an hour or so and there will be many questions...

#11 punkki

punkki
  • Members
  • 549 posts

Posted 15 April 2007 - 03:33 PM

If port 25 is blocked to anything else but the Barracuda and the Barracuda suddenly breaks at night, who is going to wake up to change the settings on the firewall?

Why would anyone need to change the settings? Do you mean you'd be willing to let e-mail in without virus scanning (and spam scanning, of course)? Why would you want the extra cost of the 'cuda, then? One important aspect with security devices is that you don't bypass them. You bite the bullet and fix them as quickly as possible.

And the messages might queue at the senders but they will generate delayed delivery messages from the senders mail servers to the senders e-mails and there will be many questions going around of "why did I get this notification" and so on.

Yes, if the senders aren't able to read the message, there'll be questions. But the questions really don't hurt anyone, IMHO.

#12 galix

galix
  • Members
  • 74 posts

Posted 16 April 2007 - 05:11 PM

If port 25 is blocked to anything else but the Barracuda and the Barracuda suddenly breaks at night, who is going to wake up to change the settings on the firewall?

Why would anyone need to change the settings? Do you mean you'd be willing to let e-mail in without virus scanning (and spam scanning, of course)? Why would you want the extra cost of the 'cuda, then? One important aspect with security devices is that you don't bypass them. You bite the bullet and fix them as quickly as possible.

Re-read the whole post from the begining and you'll understand why. And no one is talking about bypassing the Barracuda.

#13 Cuda Admin

Cuda Admin
  • Members
  • 341 posts

Posted 17 April 2007 - 08:06 AM

Re-read the whole post from the begining and you'll understand why. And no one is talking about bypassing the Barracuda.

You said: "If port 25 is blocked to anything else but the Barracuda and the Barracuda suddenly breaks at night,"If it is broke, and you want to change firewall settings to deliver mail how exactly are you going to do that without bypassing the Cuda? And the OP is planning on doing exactly that also it would appear. He is running multiple MX records for when his Cuda is down.

#14 Komfort

Komfort
  • Members
  • 13 posts

Posted 09 May 2007 - 06:04 AM

I quite like our solution that we operate. We only have one MX record, but the IP address that is made public points to our Firewall. When data is received for Port 25, it forwards it to an address on the inside of our network. Should our Barracuda fail then we just need to change the firewall to forward to our mail server instead. As it's been stated before, if this happens in the middle of the night a queue will build up outside of our network. Assuming that we'd have the firewall changed within 48 hours the senders won't have much distruption - perhaps one message stating that the delivery had been delayed.I'd rather risk them being "mildly" upset that rather than receive an infected message.