Link to home
Start Free TrialLog in
Avatar of crp0499
crp0499Flag for United States of America

asked on

Redirects, unauthorized bounces, etc...

OK, my Exchange server is running Exchange 2k with all updates and patches THAT I AM AWARE OF.  My 20003 Server is running the built-in flavor of exchange to handle three mailboxes on there.  I received the following e-mail from Road Runner:

The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem.  We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse(a.k.a. "trojan" for short).  Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question.  The abuse commonly comes in the form of either unsolicited email (a.k.a. "spam") or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit).  However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities
 
A portion of the complaint we have received is copied below for your review:
 
_________________________________________________________________
 
example
 
Unsolicited bounce from: XXX.XX.XX.XXX
http://www.spamcop.net/w3m?i=z1461054774z78adc3d2de68b857fcfc3dfc3df88ff8z
XXX.XX.XX.XXX appears to be sending unsolicited bounces, please see:
http://www.spamcop.net/fom-serve/cache/329.html
 
[ Offending message ]
Return-Path: <SRS0=h3MDDYIp=VJ=wildandlye.com=spamtrap@hubnut.net>
Delivered-To: spamcop-net-x
Received: (qmail 24092 invoked from network); 5 Jul 2005 08:35:11 -0000
Received: from unknown (192.168.1.103)
  by blade4.cesmail.net with QMQP; 5 Jul 2005 08:35:11 -0000
Received: from srv5.hubnut.net (64.246.62.94)
  by mailgate2.cesmail.net with SMTP; 5 Jul 2005 08:35:11 -0000
Received: from wildandlye.com (localhost.localdomain [127.0.0.1])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658Z7pK020274
for <x>; Tue, 5 Jul 2005 08:35:07 GMT
Received: (from spamtrap@localhost)
by wildandlye.com (8.12.11/8.12.11/Submit) id j658Z7Bs020262
for x; Tue, 5 Jul 2005 08:35:07 GMT
Received: from srv5.hubnut.net (root@localhost)
by wildandlye.com (8.12.11/8.12.11) with ESMTP id j658Z1Aq020231
for <x>; Tue, 5 Jul 2005 08:35:01 GMT
X-ClientAddr: 67.78.88.202
Received: from win2kserver.crpoe.com (rrcs-67-78-88-202.sw.biz.rr.com [67.78.88.202])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658YtrW020160
for <x>; Tue, 5 Jul 2005 08:34:59 GMT
From: postmaster@crpoe.com
To: x
Date: Tue, 5 Jul 2005 03:34:51 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C57F14A9DD64AF0000370Cwin2kserver.crpo"
X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
Message-ID: <ssaX_________190b@win2kserver.crpoe.com>
Subject: [MISDIRECTED BOUNCE] Delivery Status Notification (Failure)
Received-SPF: pass (srv5.hubnut.net: 127.0.0.1 is authenticated by a trusted mechanism)
Received-SPF: unknown (srv5.hubnut.net: error in processing during lookup of postmaster@win2kserver.crpoe.com)
X-HubNut-MailScanner: Found to be clean, Found to be clean
X-Spam-Prev-Subject: Delivery Status Notification (Failure)
X-HubNut-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-From: spamtrap@wildandlye.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4
X-Spam-Level: *************************
________________
 
 
FYI,
 
Based on multiple reports from myNetWatchman users, we believe that the
following host is compromised or infected:
 
Source IP: XXX.XX.XX.XXX
Time Zone: UTC
 
Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
EventRecord: 3 Jul 2005 07:55:20, 207.81.x.x, 6, 139, NETBIOS Session Service                           , 1071, 1
EventRecord: 3 Jul 2005 07:48:16, 207.81.x.x, 6, 139, NETBIOS Session Service                           , 1247, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3847, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3848, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3845, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3846, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3844, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3831, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3826, 1
____________________________________________


I've turned off NDR's on my Exchange 2k box but do not see how to do it for the 2K3 box running the built-in exchange that come with the enterprise edition.

Also, is there more that I can do to resolve this?

Here is a sample of my SMTP log.  Looks fishy to me.

00:00:08 218.64.100.236 HELO - 250
00:00:35 218.64.100.236 MAIL - 250
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 EHLO - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 MAIL - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 RCPT - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 DATA - 0
00:00:52 65.161.23.59 - - 0
00:00:57 65.161.23.59 - - 0
00:00:57 65.161.23.59 QUIT - 0
00:00:57 65.161.23.59 - - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 EHLO - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 MAIL - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 RCPT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 RSET - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 QUIT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 218.64.100.236 HELO - 250
00:02:12 218.64.100.236 MAIL - 250
00:02:13 218.64.100.236 RCPT - 250
00:02:18 218.64.100.236 RCPT - 250
00:02:19 218.64.100.236 RCPT - 250
00:02:20 218.64.100.236 RCPT - 250
00:02:22 218.64.100.236 RCPT - 250
00:02:23 218.64.100.236 RCPT - 250
00:02:26 218.64.100.236 DATA - 250
00:02:26 218.64.100.236 QUIT - 240
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 EHLO - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 MAIL - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RCPT - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RSET - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 QUIT - 0
00:02:31 216.200.145.51 - - 0
Avatar of David Wilhoit
David Wilhoit
Flag of United States of America image

if you think it's an internal machine doing damage, then you need to make sure that no other desktop, especially the one you think is infected, can make an SMTP connection to your Exchange server. At the cmd prompt, run netstat -a and see who's connecting to SMTP (port 25). If it's a workstation that should be using an Outlook MAPI profile, then there should be no port 25 connection...most of the time. A virus would cause many connectionos to be made from 1 IP address.
Avatar of crp0499

ASKER

Thing is, there are no other PCs in this server room or in this buliding. In other words, there are no internal machines.  It's just two servers alone in a room, connected to the world via a router and RR cable.  There aren't more than 10 mailboxes between the two servers.
If the outside world can see port 135 then you have a problem. How is the router configured? Do you have port 135 open to allow Outlook access over the Internet?

Simon.
Avatar of crp0499

ASKER

no.  port 135 is not open on the router
Avatar of crp0499

ASKER

I DID however see that my server was set as the DMZ in the router.  Could that have been it?
ASKER CERTIFIED SOLUTION
Avatar of David Wilhoit
David Wilhoit
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I assume that was the issue?