Open SMTP ports allow hackers to relay phishing emails

US hosting and domain registrar Network Solutions has been hacked again. This time someone has gained access to email accounts on Network Solutions servers.

They are sending phishing emails that can reveal your real email accounts.  Accounts that have email on Network Solutions servers should move to secure them. Network Solutions are not doing enough to protect their user base from hackers.

After more than two weeks of hacks using the ‘grep’ virus, Network Solutions began to run security audits on its hosted accounts with Nessus software.

We got Daily Scanning Audit Report on April 25th and it said,

Host NJNNETWORK.COM has:

• 3 security alert – high risk
• 20 security warning – medium risk
• 44 security infos – low risk

List of vulnerabilities found:

• smtp (25/tcp) (found security alert)
• submission (587/tcp) (found security alert)
• urd (465/tcp) (found security alert)

Checking further, we found the 3 high risk warnings related to the open smtp ports on Network Solutions servers. Those are internal settings that we have no control over. We reported the warnings to Network Solutions but they did not reply.

We could fix the problem for Network Solutions if they gave us their admin passwords. There should be a tick box in the mail administrator that labeled “Do not allow relay.”

The same report came three times and we reported the error three times. Ironically, Network Solutions warned us the NJN Network hosting service would be shut down if we didn’t fix their servers.

NJN Network is now being hosted elsewhere so we weren’t too worried about their mail servers until the phishing emails started.

Phishing attempt

Someone is using the Network Solutions mail accounts to phish for real email addresses. It works like this:

Using the phony email accounts, you are signed up for a daily alert. In my case it was the Canadian Government Foreign Affairs Travel Update. It came addressed to KelleyzirconiumSinger at njnnetwork.com. The email account is bogus and we didn’t sign up for a newsletter.

After three of those emails, I sent an unsubscribe to what looks like an official Canadian government website.

At this point the hackers have my real email address. They did not attempt to inject a trojan in my computer. I keep two virus checkers running at all times.

Email ports subject to relaying

The Network Solutions emails are being hacked. I was able to relay emails from fictitious accounts in a test. The detailed Network Solutions errors are printed below.

Note: this alert was first detected on 04-24-2010 00:42:54
Plugin “Mail relaying (thorough test)”
Category “SMTP problems”
Priority Ranking “Urgent”

Synopsis : An open SMTP relay is running on this port.
Description : The remote SMTP server is insufficiently protected against relaying. This means that it allows spammers to use your mail server to send their mails to the world, thus wasting your network bandwidth.

‘