-1

I have read,that bots in an internal network talk directly to External Mail servers instead of going through the Internal Mailserver to deliver spam.

Query

If it's true, than how do Bots spam do so where Outgoing SMTP connections from internal hosts (except internal Mailserver)is blocked.

Some Thoughts

It's obvious that bots will not use internal mail server as it might get caught (by blacklists, Spamhaus), neither can it spoof internal mail server's IP,as replies from external mail server will be dropped by internal mailserver (if it hasn't initiated them).

I have come across something called "triangular_spamming", however this doesn't apply to context of this question.

Thanks

Azeezah M
  • 53
  • 4
user10012
  • 191
  • 1
  • 1
  • 9
  • 1
    Actually, I don't see why bots wouldn't try using the internal server if they have credentials for it. Eventually they'll get caught either way, but if spamming directly via the port 25 is blocked they have nothing to loose by spamming using the internal server. Even if they get caught quickly it's better to send out a few hundred emails (which is pretty small on the spam scale) to not spam at all. – André Borie May 19 '16 at 23:11
  • Do you have references for what you've read? – Neil Smithline May 20 '16 at 01:47

1 Answers1

-1

They use dict attacking schemes or brute force, to guess passwords of other email accounts on external submission servers or SMTPS servers (465/587). Sometimes, the bots do have a copy of a compromised Email/Password database, and as many have the same password to their Email account as to many forum/site accounts, they can easily find out which mail server it is to that provider (in the same way that cell phones can autofill the server fields when you have inputted your email, theres lists on the internet which servers that should be used for a specific email adress), and then just try the password from the compromised database.

After that is done, many servers rarely enforce that MAIL FROM matches the user account. Some servers do, including the largest email providers, but many smaller don't because they trust their users. This causes spambots to be able to boast out spam using compromised accounts to, say "hidden open relays".

Theres 2 solutions that you as a ISP can do to leverage the issue:

Solution 1:

If you run a network and want to solve this problem, you can easily block outgoing traffic for 25, 465 and 587, and enforce the usage of your own mail service. To avoid the problem that users can fetch mail but not send, and get confused, you can also block 110, 143, 993 and 995, that also prevents fetching mail from outside providers. But that is not mandatory to solve the spam problem.

Then you ask the user to use your mail service. This also gives a great opportunity to charge a small monthly fee for the mailservice. (But not too high so users resort to anonymous VPN services and bypasses, make sure its cheaper to use your mail service than bypassing the restriction)

Solution 2:

Another thing, that is common among smaller ISPs is to enforce their server as proxy.

This works, that if I have a gmail account with the following details:

User = Someuser@gmail.com Pass = Somepass

And have a ISP account of:

User = isp856385 Pass = jdshgk

I will need to set up the following in my mail software:

Server: submission.myisp.com
Username: isp856385:Someuser@gmail.com:smtp.gmail.com
Password: jdshgk:Somepass:587

Provide clear documentation on this. Best idea is to provide a easy step-by-step paper when signing up for the ISP account, how email should be configured. You can even have a config wizard on your site, where user can logon with their ISP account, and fill in their external provider account, and then it will tell them how they should configure their account inside mail software.

Then you can apply your normal rate-limiting and spam filtering rules to external providers as well. The same is not needed for IMAP/POP3, because here the user has the possibility to use external services without problems.

Note that if you use this way, avoid restricting the submission server to be reachable from the outside. A good idea is to restrict the first login ever to be made inside the network (to avoid the server being used as a attack platform for compromised inactive ISP accounts to send mail), but once account is "activated", allow from any IP adress, perhaps with country restriction to only allow from the local country.

The reason for this is that people normally roam from Wifi to mobile network with their cell phones, and isn't always using same operator on mobile and wifi, thus to avoid issues when they not are on your network, allow the "SMTP proxy" to be used from outside too. (as long as they have a "activated" ISP account)

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • To be honest, it is not your job to care about what's happening on the other providers. And if I was your customer and you suddenly required me to surrender my third-party email credentials by allowing your server to act as a proxy I would run away and you wouldn't see a single dollar from me anymore. IMO it's a very bad idea. – André Borie May 19 '16 at 23:09
  • @AndréBorie I didn't say that it was a good idea requiring it as the only means to get email. If you don't want to give the ISP proxy the third-party details, you are free to use the ISPs own mail service. Simple as that. And "its not your job to care about whats..." is wrong on the today's internet, as a ISP you have a responsibility to ensure your network are not used as abuse platforms, and to track that and prevent for example your network being used to send spam via compromised submission accounts, certain solutions exist. – sebastian nielsen May 19 '16 at 23:36
  • And what if, for example, a customer *needs* to use their business email? Giving up the credentials is not an option nor is using the ISP's mail server. And while I agree that ISPs should take steps to reduce abuse, I disagree with knowingly interfering with customer's traffic especially if that breaks legitimate uses. And still, I think compromised submission accounts should be dealt with at the account's mail server and not at the local ISP's side. – André Borie May 19 '16 at 23:39
  • @AndréBorie Then same thing could be said about port 25 blockings... like "Open relays should be taken care about, ISPs has nothing to do with if customers connect to open relays". You understand the issue? If the proxy is well made, it can add abuse-tracking headers in the mail and such things. And as I said, if you want to use business mail, you can enter the credentials. It won't break anything. And Im not saying the ISP should log or save the credentials, they are sent to the proxy for each mail. Its just so they can track abuse and shut down misbehaving customers, even on port 587. – sebastian nielsen May 20 '16 at 00:01
  • 1
    The question is `how do Bots spam do so where Outgoing SMTP connections from internal hosts (except internal Mailserver)is blocked`. I don't think that you attempt to answer it. – Neil Smithline May 20 '16 at 01:49
  • @sebastiannielsen if I was an employer I would't allow an employee to use their credentials with a third-party mail server just because some ISP is trying to be smart. I would tell them to switch ISPs and you would loose a customer. Finally, do you have sources to back the fact that a significant amount of spam comes from compromised e-mail accounts at the major providers (GMail, Outlook, etc?) I'm pretty sure they have their own filters that make spamming through them difficult. – André Borie May 20 '16 at 02:12
  • @sebastiannielsen could you please share some thoughts on "how do Bots spam do so where Outgoing SMTP connections from internal hosts (except internal Mailserver)is blocked" – user10012 May 20 '16 at 06:57
  • @AndréBorie could you please provide your views to "how do Bots spam do so where Outgoing SMTP connections from internal hosts (except internal Mailserver)is blocked" – user10012 May 20 '16 at 06:58
  • 1
    @user10012 I do answer it, as you asked how bots are able to spam when port 25 outgoing is blocked.And I know that a lot of compromised, externally accessible, mail accounts are used for spamming. They effectively become a open relay. I didn't say the large providers don't have filters. Its the small providers that don't have filters on their externally facing submission server. They just blindly trust any amount of mail once someone authenticates, and thus create the same problem as the original port 25 open relays. – sebastian nielsen May 20 '16 at 19:00