• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Maybe sending tons of spam...

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2000] >> Server Security >> Maybe sending tons of spam... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Maybe sending tons of spam... - 23.Apr.2004 11:17:00 AM   
c0p0n

 

Posts: 6
Joined: 8.Jan.2004
From: Spain
Status: offline
First of all: I am a Linux admin that has been given a windows 2k server machine for administration only a week ago. On this week I was learning a bit the windows servers way, but without doing anything dangerous on the machine (I did all my tryings with a fake server) just because it was running ok. My knowledge of the Win2k server environment is a bit young but I have many years of experience admin'ng Unix servers (specially Linux and FreeBSD) so I think that I could take the points here.

Ok. The business. The exchange server is eating the whole upstream bandwidth, it's that simple. It seems that it is sending a bunch of email, but I see nothing on the queue folder.

The server has installed MailEssentials 9.0 for spam checking, monitoring the SMTP link. It runs fairly good (although I am planning a migration to SpamAssasin, but I am not in a hurry), and I can see on its monitor all emails that are being sent and received. Ok, but not the junk traffic the exchange server is generating. It is using smtp, but I cannot see any message anywhere with this.

After that, I sniffed the machine communications through Ethereal, to find the SMTP traffic. It was going to this ip:

204.251.10.82 ---> iris2.directnic.com

As the whole upstream was caught, no downstream was available to anyone so I blocked all communication with that IP. For a while, it ran well, but after a short amount of time the thing began to communicate through SMTP with:

204.251.10.81 ---> iris1.directnic.com

I blocked also that IP in search of a solution. After a short while, it began to communicate with:

204.251.10.90 ---> pop.directnic.com

That I blocked again. That was 2hrs ago, the problem seems to have been avoided - but not solved.

The exchange server has Symantec Antivirus Corporate Edition 8.00.9374 installed, and it seems that I have no virii so far (but you never know).

I telnet'ed the machine on p25 and it seems that I have the relay closed.

I am monitoring right now the account logins to see if there is something strange here.

Well, I ran out of ideas. The IP blocking seems to be working right now, but that's only an ugly hack that can be easily circumvented, and I want a real solution. Dunno if it has something to do with some automated attack involving NT user accounts or virii, but the fact that the smtp communication was with directnic machines seems a bit STRANGE to me. And dangerous, I do not want my domain to be blacklisted at all...

As I am a Unix man, I would replace the OS with something more convenient for me (as I am NO expert on windows machines), maybe a FreeBSD or Debian machine. I know the Unix system and how to make it almost impenetrable (as much as you can, of course), but the Unix groupware solutions are not very mature at this moment. We NEED Exchange, although a lot of us are using Linux and Evolution.

Any help would be GREATLY appreciated. Thanx in advance "[Big
Post #: 1
RE: Maybe sending tons of spam... - 27.Apr.2004 3:07:00 PM   
pjhutch

 

Posts: 3578
Joined: 21.Jul.2001
From: W Yorks, England
Status: offline
It could be relaying 1000s of messages. The queues aren`t that good as msgs only stay there very, very briefly.

I use the MS Knowledge base a lot so start here:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;kbhowto&sd=TECH&ln=EN-US&FR=0

Check this out on securing SMTP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;319267&Product=exch2k

(in reply to c0p0n)
Post #: 2
RE: Maybe sending tons of spam... - 28.Apr.2004 11:10:00 AM   
c0p0n

 

Posts: 6
Joined: 8.Jan.2004
From: Spain
Status: offline
thanks man! I looked before, on the KB, but it's a complex DDBB and as I am not specially familiarized with the M$ products and websites, I didn't know even where to start.

The article about securing SMTP access should be useful (as I use and I am familiarized with the double SMTP link scheme on the *nix servers), VERY useful in fact for me, I will have a deep read of it.

I'll post any conclusion on this topic here.

Thanx, man [Smile]

(in reply to c0p0n)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2000] >> Server Security >> Maybe sending tons of spam... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter