spam engine? (Full Version)

All Forums >> [Microsoft Exchange 2000] >> Server Security



Message


Guest -> spam engine? (4.Dec.2003 4:41:00 PM)

I have a remote exchange 2000 server at a client site which keeps receiving rejected replies from other domains. Tt seems apparent that invalid users are sending spam type e-mail through the smtp sever. I believe we have verified that smtp relay is off using telenet to test using an invalid account. is there any possibility tthat SMTP is still relaying or is there some type of viral or adware activity which could be running a spam engine on one of the machines? Any help would be appreciated.




koggen -> RE: spam engine? (12.Dec.2003 4:28:00 AM)

Checking your server too see if it allows relay can be done with telnet tests or by using services provided by e.g. http://www.ordb.org. Yes, viral or adware activities are known to send lots of spam. Easiest way to see what happens is to isolate parts of your network in steps. Disconnect the outbound connection from your network. If the queues continue to grow with ndr messages then the problem originates from your internal network, and vice versa if the flow stops when you disconnect outbound traffic.

Remember that it is very common to receive ndr messages which are caused by spamming attempts. Nowadays a lot of spam is sent with "guessed" addresses (we frequently get spam addressed to "joe" or "sales" etc). These will of course result in a ndr message being returned to the sender of the spammer, but since most return addresses also are forged you'll get new ndr:s back, i.e. a new ndr for the original ndr. Run some tests to give us more information on where the problem originates and we'll take it from there.

// Johan




Christ5340 -> RE: spam engine? (23.Feb.2004 8:50:00 PM)

Turn on SMTP logging(all fields), what a couple of days, then import those text(log) files into Excel or Access and sort based on IP, grouping by counting and you can see which IP's are hitting you the most. For the IP's and domains that you don't recognize, check that IP address using ARIN, http://ws.arin.net/cgi-bin/whois.pl and see where the registrar is located. Most likely will be Asia, SA, or Europe if it's spam ore relay attemtps. I had this same problem, did what I've discussed and blocked the following netblocks at my Cisco Internet router using access-list 100 deny ip host xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx any
I blocked the following netblocks which include most all of Asia, some European, and some known US spammers and my spam is 99.999% gone.
deny ip 202.0.0.0 0.255.255.255 any
deny ip 203.0.0.0 0.255.255.255 any
deny ip 217.0.0.0 0.255.255.255 any
deny ip 218.0.0.0 0.255.255.255 any
deny ip 219.0.0.0 0.255.255.255 any
deny ip 220.0.0.0 0.255.255.255 any
deny ip 221.0.0.0 0.255.255.255 any
deny ip 222.0.0.0 0.255.255.255 any
deny ip 188.0.0.0 0.255.255.255 any
deny ip 80.0.0.0 0.255.255.255 any
deny ip 81.0.0.0 0.255.255.255 any
deny ip 82.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 61.0.0.0 0.255.255.255 any
deny ip 62.0.0.0 0.255.255.255 any
deny ip 210.0.0.0 0.255.255.255 any
deny ip 211.0.0.0 0.255.255.255 any
deny ip 212.0.0.0 0.255.255.255 any
deny ip 213.0.0.0 0.255.255.255 any
deny ip 193.0.0.0 0.255.255.255 any
deny ip 194.0.0.0 0.255.255.255 any
deny ip 195.0.0.0 0.255.255.255 any
deny ip 38.0.0.0 0.255.255.255 any
deny ip 43.0.0.0 0.255.255.255 any
deny ip 133.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any




Page: [1]