Edmund A. Hajim  School of Engineering and Applied Sciences

Mail Relay, SPAM and other issues in HSEAS Mail

Many HSEAS members have complained recently that they are receiving returned mail, mail that has failed to reach its destination. These individuals have not sent the mail, and are perplexed and concerned that their account has been broken into.

The accounts are intact; these accounts have not been compromised. Mail has been forged to appear as if it was coming from HSEAS members, and used to send spam mail elsewhere. Some of this mail has been incorrectly addressed, and those messages bounce back to the nominal (but forged) address of the sender. Hence HSEAS members have received mail failure warnings for mail they (correctly) do not remember sending.

What has happened, is that a mail weakness has been exploited. Our hosts are protected against being used as "mail relays". Thus people outside the UR cannot directly use us as a spam (also known as unsolicited bulk email) relay. Please note that this does not protect us in any way from being the recipients of spam from other locations.

If someone from outside the UR tries to use our mail servers to pass spam mail, those attempts will be rejected. If someone within the UR tries to use our mail servers to relay spam, it will be rejected if the 'From' identifier is a bogus name - that is, not someone with an account on our systems.

However - if this same "within the UR" person uses a valid HSEAS/HSEAS-Dept. user-name, the mail will be relayed. While mail requires authentication to retrieve mail (e.g., POP/IMAP require you supply a user name and password to fetch your mail), no such authentication is needed for sending mail - I know that sounds crazy, but that is the way it works.

So while we've locked down our mail servers to protect against abuse from outside the UR, we have left it open for being used as a relay for those within the UR. HSEAS faculty and grad students work all over the UR (LLE, Med Center, various River Campus buildings, etc.). To accommodate them - so they can send mail from their HSEAS address where ever they are on campus - we have left this open. That worked for about 2 years or so - since the last big change to mail.

This level of protection is no longer sufficient. The spammers have found new technology, and are actively using it to forge mail (from valid users). We've seen a sharp increase in this problem in the past two months (early 2002).

We need to tighten down our list of hosts for whom we will relay mail. This will functionally affect only those people who read mail with a pop/imap client - Eudora or Outlook or Netscape - while outside of their building. Actually, reading mail will not be affected at all - but sending/replying-to mail will. Hosts not "within the walls" of HSEAS will be unable to send mail. This will likely be most upsetting to those who use the UR's VPN solution to work at home and yet appear to be part of the UR's network.

Affected individuals can always fall back on a simple UNIX login (preferably using a Secure Shell login) and then use a UNIX mailer (Elm, Pine, Mail...) to read and compose mail.

If we do not staunch the flow of spam coming from within HSEAS we risk being blacklisted again, which means other locations, (e.g., companies and universities) that subscribe to the blacklisting databases will no longer accept mail from HSEAS departments. That is a much bigger problem than having to occasionally use a UNIX mailer.

Last modifed: Thursday, 07-Apr-2011 09:24:30 EDT