0

I'm running smtp4dev on my machine to trap anything going in/out of my computer on port 25 for testing purposes. Every so often this email gets trapped and I have no idea what it's from. I have Microsoft Security Essentials running on my machine and it hasn't identified and viruses or anything so I'm not sure what's going on. Here's the content of the message:

Received: from  [125.180.72.4] by 173.162.7.130 SMTP id O2Ncv62Ghig1vR for <gk49fawn@yahoo.com.tw>; Fri, 24 Jun 2011 20:36:15 +0200

Received: from  [125.180.72.4] by 173.162.7.130 SMTP id O2Ncv62Ghig1vR for <gk49fawn@yahoo.com.tw>; Fri, 24 Jun 2011 20:36:15 +0200
Message-ID: <ny$pb2rxm92o0bl6@71bp0.dkvw9>
From: "" <z2007tw@yahoo.com.tw>
To: <gk49fawn@yahoo.com.tw>
Subject: BC_173.162.7.130
Date: Fri, 24 Jun 11 20:36:15 GMT
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_000D_01C2CC60.49F4EC70"
Micah
  • 344
  • 3
  • 9
  • 20
  • 1
    Is your system an open relay? Could be a system on your LAN that is infected trying to use you to send email. – Robert Kaucher Jun 27 '11 at 15:06
  • 125.180.72.4 is a Korean IP - so this isn't coming from your machine. – JimB Jun 27 '11 at 15:08
  • @Robert, how can I determine if my machine is an open relay and more importantly which machine on my network is infected? – Micah Jun 27 '11 at 15:15
  • @JimB - so what - there's no magic here to prevent a program from inserting random 'Received' headers in an email. It may well originate locally – symcbean Jun 27 '11 at 16:22
  • @symcbean - Possibly, but I would assume this is from the MTA's logs (and being the only header, was inserted by the MTA), where the IP address would come from the TCP connections. – JimB Jun 27 '11 at 16:33
  • [smtp4dev](http://smtp4dev.codeplex.com/) does not trap mail going out of your computer, only mail sent to the SMTP Relay port **on** your computer. – JdeBP Jun 28 '11 at 14:40

2 Answers2

5

Seems that your machine (173.162.7.130) is accepting connections on port 25 and seems to have NO filters so it could easily be and open relay, here is a telnet session i just tried:

-> [~]$ telnet 173.162.7.130 25
Trying 173.162.7.130...
Connected to 173.162.7.130.
Escape character is '^]'.
220  smtp4dev ready
helo test
250 Nice to meet you
mail from: <test@example.com>
250 Okey dokey
rcpt to: <test@example.com>    
250 Recipient accepted

Your smtp4dev accepts all destinations, so everyone can connect to it and send mail to anyone.

Personally, I don't know smtp4dev so maybe it discards messages after DATA, but you should make sure to configure it to never accept non-local recipients or at least configure your firewall to accept connections on port 25 only by trusted IPs.

Daniele Santi
  • 2,529
  • 1
  • 25
  • 22
  • 3
    smtp4dev is designed to discard the email so it can't be used as an open relay. Programmers can test programs that send email and see the results knowing that the emails won't actually be sent. However if this is a workstation, then the fact that the machine is publicly accessible is worrying. – sgmoore Jun 27 '11 at 16:33
3

I see we have the usual error, made all too often in such discussions, being made here. All too often people assume that a system is an open relay because it accepts mail. It's only an open relay if it then (without further restriction) relays it. It's inherent in the name: open relay.

As sgmoore points out, and as indeed you pointed out in your question, you are running smtp4dev. This isn't a real MTS. It accepts any SMTP transaction made with the server, and allows the user to review what messages people are attempting to send via the SMTP Relay service on the user's machine.

And that's the crux of the matter here. The sky isn't falling. Someone attempted to use your machine to send mail to gk49fawn@yahoo.com.tw as if it had been sent by z2007tw@yahoo.com.tw. This sort of thing happens all of the time. It's the idle or (most likely given the format of the message) the malicious probing your machine to see whether it can be abused as an open relay. As anyone with an Internet-facing machine will attest, this happens continually, and not just for mail service.

Your worry would be if your machine had actually relayed that mail. But you're not even running a real MTS, let alone one configured to be an open relay.

JdeBP
  • 3,990
  • 18
  • 17
  • I have the exact same problem... my biggest problem is that I receive useless connection. Closing the port 25 for some days might get a computer removed from a probing list... but that isn't certain. Or actually send a an error. – Loïc Faure-Lacroix Oct 30 '11 at 21:06