Mitel Forums - The Unofficial Source
Mitel Forums => Mitel Software Applications => Topic started by: jamsignal on March 17, 2011, 12:52:05 AM
-
My MSL box may have been hacked. It was sending spam so I blocked smtp with my firewall. From the CLI, I noticed there are many qmail-remote processes trying to send mail.
I thought this was somewhat secure to place on the Internet. Has anyone had this problem?
-
I haven't seen this but that doesn't mean it's not happening somewhere to me.
I have a couple of questions:
1- What version of MSL are you running?
2 - How did you find out the box was sending spam?
3 - How do I check my boxes to see it they may have been hacked?
Ralph
-
On the web interface of the MSL box go in to E-mail Settings and make sure that SMTP email injection restrictions is set to Local Host Only. If it is set to either of the other two options, then it means that the box is open as a relay to either the local network, or to who ever is able to connect to it, which if it is a MBG server could mean that it is open to anyone on the internet to relay through.
-
That makes me wonder if, thinking about another problem, it would be possible to use the relay to resolve an issue with forwarding voicemails to 3rd party email hosting services. -i.e. gmail.com
Ralph
-
Probably Ralph - but I suspect you have to get in the command line and make some changes to get it to use TLS. I'm sure it is doable. You changes may revert back on upgrades. I've had my Linux guys look at this thing and it seems a bit off of standard. They got all kinds of things to work, but longitevitry of the changes are unknown...
-Chak
-
The history of MSL goes back to www.contribs.org. (http://www.contribs.org.)
They sold to Mitel and if I understand it correctly sold it back.
I know a lot of stuff carries over from contribs.org so if you went to their forum you may get a lot of answers about MSL that isn't available via Mitel.
Ralph
-
MSL 8.5.17.0 and 'localhost only' is already set. I am also the network person and I saw the spam on my firewall. I blocked port 25 on my firewall to stop the spam.
I found a new problem today. Squid proxy on port 3128. My MSL IP was published on a list of free proxy servers and it was flooded with traffic. I need to find out what network ports are required for Teleworker and block everything else. This MSL box was receiving 20 Mbits of Internet traffic the last couple of days.
-
For a quick and easy list of what ports are required, download the TNA software from your Teleworker server.
It will show you all the ports and what they're used for.
Ralph
-
I don't think MSL has any type of mail relay ability by default. I suspect your compromise if more in depth and if possible I would seriously consider just rebuilding the box from scratch....
-Chak
-
I did not know about the TNA. I will try that tomorrow. If anything else strange happens, I will have to rebuild.