GW7.02 is relaying?
Adrie de Regt
large amounts af mail.
Went on-site, checked oneanother. And I do see lots of these messages:
==quote
16:07:29 709 MSG 21219 Processing inbound message:
SRV3/GW:\GWDOM\WPGATE\GWIA\receive\09C112B4.343
16:07:29 709 MSG 21219 Sender: timlo...@yahoo.com.tw
16:07:29 709 MSG 21219 Recipient: timlo...@yahoo.com.tw
16:07:29 709 MSG 21219 Converting message to SMTP:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\xb211cc1.066
16:07:29 709 MSG 21219 Queuing message to daemon:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\sb211cc1.066
16:07:29 709 Recipient: timlo...@yahoo.com.tw
16:07:29 709 MSG 21220 Processing inbound message:
SRV3/GW:\GWDOM\WPGATE\GWIA\receive\C9C112B4.344
16:07:29 709 MSG 21220 Sender: ot...@yahoo.com.tw
16:07:29 709 MSG 21220 Recipient: ot...@yahoo.com.tw
16:07:29 709 MSG 21220 Converting message to SMTP:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\xb211cc1.067
16:07:29 709 MSG 21220 Queuing message to daemon:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\sb211cc1.067
16:07:29 709 Recipient: ot...@yahoo.com.tw
16:07:29 709 MSG 21221 Processing inbound message:
SRV3/GW:\GWDOM\WPGATE\GWIA\receive\E9C112B4.345
16:07:29 709 MSG 21221 Sender: ivy8...@yahoo.com.tw
16:07:29 709 MSG 21221 Recipient: ivy8...@yahoo.com.tw
16:07:29 709 MSG 21221 Converting message to SMTP:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\xb211cc1.068
16:07:29 709 MSG 21221 Queuing message to daemon:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\sb211cc1.068
16:07:29 709 Recipient: ivy8...@yahoo.com.tw
16:07:29 709 MSG 21222 Processing inbound message:
SRV3/GW:\GWDOM\WPGATE\GWIA\receive\DAC112B4.347
16:07:29 709 MSG 21222 Sender: f33...@ms11.hinet.net
16:07:29 709 MSG 21222 Recipient: f33...@ms11.hinet.net
16:07:29 709 MSG 21222 Converting message to SMTP:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\xb211cc1.069
16:07:29 709 MSG 21222 Queuing message to daemon:
SRV3/GW:\GWDOM\WPGATE\GWIA\send\sb211cc1.069
16:07:29 709 Recipient: f33...@ms11.hinet.net
==endquote
In GWIA, SMTP Relay Settings are set to 'disabled'.
There is only 1 exception, the server on which GW runs (NW65) is allowed to
send mail
Are there known issues with GW702?
Regards,
Adrie de Regt
Netherlands
Michael Bell
telnet ipaddress 25
HELO turnip.com
MAIL FROM:<m...@turnip.com>
RCPT TO:<ev...@spam.com>
DATA
Subject: You shouldn't have gotten this far
.
QUIT
Next, perhaps a spammer has done a dictionary attack on passwords and
guessed someones passwords. Only way to tell is to change everyone's
passwords.
Joseph Marton
> Next, perhaps a spammer has done a dictionary attack on passwords and
> guessed someones passwords. Only way to tell is to change everyone's
> passwords.
If that's the case won't the POA logs show successful authentication so
that the culprit account can be narrowed down?
--
Joe Marton
Novell Knowledge Partner
Michael Bell
> On Mon, 14 Dec 2009 16:48:05 +0000, Michael Bell wrote:
>
>> Next, perhaps a spammer has done a dictionary attack on passwords and
>> guessed someones passwords. Only way to tell is to change everyone's
>> passwords.
>
> If that's the case won't the POA logs show successful authentication so
> that the culprit account can be narrowed down?
>
>
>
A. de Regt
"Michael Bell" <mikeb...@no-mx.forums.novell.com> wrote in message
news:9%tVm.5087$fB....@kovat.provo.novell.com...
Michael,
This is what happens (I used the mail-addresses as above):
220 mail.r-g.nl GroupWise Internet Agent 7.0.2 Copyright (c) 1993-2006
Novell,
Inc. All rights reserved. Ready
helo yahoo.com.tw
250 mail.r-g.nl Ok
mail from: <timlo...@yahoo.com.tw>
250 Ok
rcpt to: <timlo...@yahoo.com.tw>
550 Relaying denied
So, this is as expected, right?
Next, I checkedt the POA-log, it show thousands of these:
16:07:09 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:17 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:40 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:40 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:44 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:45 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:52 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:07:56 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
16:08:00 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
What does this mean. How can one log into Groupwise. By starting the client?
How can this be prevented?
Regards,
Adrie de Regt
Massimo Rosen
"A. de Regt" wrote:
> Next, I checkedt the POA-log, it show thousands of these:
>
> 16:07:09 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:17 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:40 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:40 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:44 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:45 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:52 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:07:56 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
> 16:08:00 25A C/S Login dos ::GW Id=mail :: 192.168.0.1
>
> What does this mean.
Someone is relaying through your GWIA y authenticating as the userid
"mail".
> How can one log into Groupwise. By starting the client?
No, through SMTP.
> How can this be prevented?
Change the PW of the "mail" account ASAP, and enable intruder detection
on your PO.
CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de
A. de Regt
Thank you for your assistance
"Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message
news:4B269A4D...@SPAMcfc-it.de...
> Adrie,
>
>
> Someone is relaying through your GWIA y authenticating as the userid
> "mail".
>
>> How can one log into Groupwise. By starting the client?
>
> No, through SMTP.
>
>> How can this be prevented?
>
> Change the PW of the "mail" account ASAP, and enable intruder detection
> on your PO.
Just done that right away.
1 more question. This 'mail' user is a nickname of the info-account. So you
can login with the nickname?
Massimo Rosen
"A. de Regt" wrote:
>
> 1 more question. This 'mail' user is a nickname of the info-account. So you
> can login with the nickname?
Yes. Any associated name unambigously identifyable as a certain account
can be used.
Adrie de Regt
"Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message
> Hi,
>
> "A. de Regt" wrote:
>>
>> 1 more question. This 'mail' user is a nickname of the info-account. So
>> you
>> can login with the nickname?
>
> Yes. Any associated name unambigously identifyable as a certain account
> can be used.
>
One mote thing, when your GWIA is publicly accessible, one needs to:
1. put passwords on the user-accounts
2. enable 'Intruder Detection' on the PO
3. what else?
Adrie de Regt
Massimo Rosen
Adrie de Regt wrote:
>
> "Massimo Rosen" <mros...@SPAMcfc-it.de> wrote in message
> news:4B26CAD7...@SPAMcfc-it.de...
> > Hi,
> >
> > "A. de Regt" wrote:
> >>
> >> 1 more question. This 'mail' user is a nickname of the info-account. So
> >> you
> >> can login with the nickname?
> >
> > Yes. Any associated name unambigously identifyable as a certain account
> > can be used.
> >
>
> One mote thing, when your GWIA is publicly accessible, one needs to:
> 1. put passwords on the user-accounts
Not necessarily for *this* issue. Accounts without GW passwords can't
login by any other means than the GW client. They can neither AUTH, IMAP
nor webaccess. But of course, passwords are good, unless you want
everybody with a GW client being able to get to your mailbox. ;)
> 2. enable 'Intruder Detection' on the PO
Good idea.
> 3. what else?
Teach your users to use secure passwords, or alternatively, use LDAP
authentication with Universal Password and strong PW policies.