Environment
Novell GroupWise 2014
Novell GroupWise 2012 Support Pack 1
Novell GroupWise 2012 Support Pack 2
Novell GroupWise 2012 Support Pack 1
Novell GroupWise 2012 Support Pack 2
Situation
When looking through the GWIA logs, seeing the following types of messages:
07:19:11 03BF DMN: MSG 2483835 Will not relay: queen_av5478@yahoo.com.tw (223.255.169.246)
07:19:11 0809 DMN: MSG 2483837 Will not relay: rokit_ch@yahoo.com.tw (219.130.140.250)
07:19:12 03BF DMN: MSG 2483835 Will not relay: s850077@yahoo.com.tw (223.255.169.246)
07:19:12 0809 DMN: MSG 2483837 Will not relay: s09525576269@yahoo.com.tw (219.130.140.250)
07:19:12 03BF DMN: MSG 2483835 Will not relay: s0954032658@yahoo.com.tw (223.255.169.246)
In addition, seeing multiple instances of the following types of connections:
07:19:12 03FF DMN: MSG 2483839 Accepted connection: [217.12.113.67] -- which resolves to China
07:19:14 03FF DMN: MSG 2483841 Accepted connection: [213.178.37.47] -- which resolves to Russian Federation
07:19:16 03FF DMN: MSG 2483843 Accepted connection: [212.247.140.71] -- which resolves to Sweden
07:19:11 03BF DMN: MSG 2483835 Will not relay: queen_av5478@yahoo.com.tw (223.255.169.246)
07:19:11 0809 DMN: MSG 2483837 Will not relay: rokit_ch@yahoo.com.tw (219.130.140.250)
07:19:12 03BF DMN: MSG 2483835 Will not relay: s850077@yahoo.com.tw (223.255.169.246)
07:19:12 0809 DMN: MSG 2483837 Will not relay: s09525576269@yahoo.com.tw (219.130.140.250)
07:19:12 03BF DMN: MSG 2483835 Will not relay: s0954032658@yahoo.com.tw (223.255.169.246)
In addition, seeing multiple instances of the following types of connections:
07:19:12 03FF DMN: MSG 2483839 Accepted connection: [217.12.113.67] -- which resolves to China
07:19:14 03FF DMN: MSG 2483841 Accepted connection: [213.178.37.47] -- which resolves to Russian Federation
07:19:16 03FF DMN: MSG 2483843 Accepted connection: [212.247.140.71] -- which resolves to Sweden
Resolution
Although it appears as if the GWIA is being used to relay SPAM, no messages are actually be sent out, hence the message "Will not relay".
The GWIA IP address is available directly on the Internet by either having a public IP Address configured on the GWIA or by being passed through a firewall/spam filter using NAT.
Disable public access to port 25 on the GWIA and the GWIA will no longer be attempted to used as a SPAM relay.
The GWIA IP address is available directly on the Internet by either having a public IP Address configured on the GWIA or by being passed through a firewall/spam filter using NAT.
Disable public access to port 25 on the GWIA and the GWIA will no longer be attempted to used as a SPAM relay.