crp0499
asked on
Redirects, unauthorized bounces, etc...
OK, my Exchange server is running Exchange 2k with all updates and patches THAT I AM AWARE OF. My 20003 Server is running the built-in flavor of exchange to handle three mailboxes on there. I received the following e-mail from Road Runner:
The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem. We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse(a.k.a. "trojan" for short). Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question. The abuse commonly comes in the form of either unsolicited email (a.k.a. "spam") or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit). However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities
A portion of the complaint we have received is copied below for your review:
__________________________ __________ __________ __________ _________
example
Unsolicited bounce from: XXX.XX.XX.XXX
http://www.spamcop.net/w3m?i=z1461054774z78adc3d2de68b857fcfc3dfc3df88ff8z
XXX.XX.XX.XXX appears to be sending unsolicited bounces, please see:
http://www.spamcop.net/fom-serve/cache/329.html
[ Offending message ]
Return-Path: <SRS0=h3MDDYIp=VJ=wildandl ye.com=spa mtrap@hubn ut.net>
Delivered-To: spamcop-net-x
Received: (qmail 24092 invoked from network); 5 Jul 2005 08:35:11 -0000
Received: from unknown (192.168.1.103)
by blade4.cesmail.net with QMQP; 5 Jul 2005 08:35:11 -0000
Received: from srv5.hubnut.net (64.246.62.94)
by mailgate2.cesmail.net with SMTP; 5 Jul 2005 08:35:11 -0000
Received: from wildandlye.com (localhost.localdomain [127.0.0.1])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658Z7pK020274
for <x>; Tue, 5 Jul 2005 08:35:07 GMT
Received: (from spamtrap@localhost)
by wildandlye.com (8.12.11/8.12.11/Submit) id j658Z7Bs020262
for x; Tue, 5 Jul 2005 08:35:07 GMT
Received: from srv5.hubnut.net (root@localhost)
by wildandlye.com (8.12.11/8.12.11) with ESMTP id j658Z1Aq020231
for <x>; Tue, 5 Jul 2005 08:35:01 GMT
X-ClientAddr: 67.78.88.202
Received: from win2kserver.crpoe.com (rrcs-67-78-88-202.sw.biz. rr.com [67.78.88.202])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658YtrW020160
for <x>; Tue, 5 Jul 2005 08:34:59 GMT
From: postmaster@crpoe.com
To: x
Date: Tue, 5 Jul 2005 03:34:51 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-statu s;
boundary="9B095B5ADSN=_01C 57F14A9DD6 4AF0000370 Cwin2kserv er.crpo"
X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
Message-ID: <ssaX_________190b@win2kse rver.crpoe .com>
Subject: [MISDIRECTED BOUNCE] Delivery Status Notification (Failure)
Received-SPF: pass (srv5.hubnut.net: 127.0.0.1 is authenticated by a trusted mechanism)
Received-SPF: unknown (srv5.hubnut.net: error in processing during lookup of postmaster@win2kserver.crp oe.com)
X-HubNut-MailScanner: Found to be clean, Found to be clean
X-Spam-Prev-Subject: Delivery Status Notification (Failure)
X-HubNut-MailScanner-Infor mation: Please contact the ISP for more information
X-MailScanner-From: spamtrap@wildandlye.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4
X-Spam-Level: *************************
________________
FYI,
Based on multiple reports from myNetWatchman users, we believe that the
following host is compromised or infected:
Source IP: XXX.XX.XX.XXX
Time Zone: UTC
Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
EventRecord: 3 Jul 2005 07:55:20, 207.81.x.x, 6, 139, NETBIOS Session Service , 1071, 1
EventRecord: 3 Jul 2005 07:48:16, 207.81.x.x, 6, 139, NETBIOS Session Service , 1247, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3847, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3848, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3845, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3846, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3844, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3831, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3826, 1
__________________________ __________ ________
I've turned off NDR's on my Exchange 2k box but do not see how to do it for the 2K3 box running the built-in exchange that come with the enterprise edition.
Also, is there more that I can do to resolve this?
Here is a sample of my SMTP log. Looks fishy to me.
00:00:08 218.64.100.236 HELO - 250
00:00:35 218.64.100.236 MAIL - 250
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 EHLO - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 MAIL - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 RCPT - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 DATA - 0
00:00:52 65.161.23.59 - - 0
00:00:57 65.161.23.59 - - 0
00:00:57 65.161.23.59 QUIT - 0
00:00:57 65.161.23.59 - - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 EHLO - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 MAIL - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 RCPT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 RSET - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 QUIT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 218.64.100.236 HELO - 250
00:02:12 218.64.100.236 MAIL - 250
00:02:13 218.64.100.236 RCPT - 250
00:02:18 218.64.100.236 RCPT - 250
00:02:19 218.64.100.236 RCPT - 250
00:02:20 218.64.100.236 RCPT - 250
00:02:22 218.64.100.236 RCPT - 250
00:02:23 218.64.100.236 RCPT - 250
00:02:26 218.64.100.236 DATA - 250
00:02:26 218.64.100.236 QUIT - 240
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 EHLO - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 MAIL - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RCPT - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RSET - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 QUIT - 0
00:02:31 216.200.145.51 - - 0
The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem. We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse(a.k.a. "trojan" for short). Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question. The abuse commonly comes in the form of either unsolicited email (a.k.a. "spam") or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit). However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities
A portion of the complaint we have received is copied below for your review:
__________________________
example
Unsolicited bounce from: XXX.XX.XX.XXX
http://www.spamcop.net/w3m?i=z1461054774z78adc3d2de68b857fcfc3dfc3df88ff8z
XXX.XX.XX.XXX appears to be sending unsolicited bounces, please see:
http://www.spamcop.net/fom-serve/cache/329.html
[ Offending message ]
Return-Path: <SRS0=h3MDDYIp=VJ=wildandl
Delivered-To: spamcop-net-x
Received: (qmail 24092 invoked from network); 5 Jul 2005 08:35:11 -0000
Received: from unknown (192.168.1.103)
by blade4.cesmail.net with QMQP; 5 Jul 2005 08:35:11 -0000
Received: from srv5.hubnut.net (64.246.62.94)
by mailgate2.cesmail.net with SMTP; 5 Jul 2005 08:35:11 -0000
Received: from wildandlye.com (localhost.localdomain [127.0.0.1])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658Z7pK020274
for <x>; Tue, 5 Jul 2005 08:35:07 GMT
Received: (from spamtrap@localhost)
by wildandlye.com (8.12.11/8.12.11/Submit) id j658Z7Bs020262
for x; Tue, 5 Jul 2005 08:35:07 GMT
Received: from srv5.hubnut.net (root@localhost)
by wildandlye.com (8.12.11/8.12.11) with ESMTP id j658Z1Aq020231
for <x>; Tue, 5 Jul 2005 08:35:01 GMT
X-ClientAddr: 67.78.88.202
Received: from win2kserver.crpoe.com (rrcs-67-78-88-202.sw.biz.
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658YtrW020160
for <x>; Tue, 5 Jul 2005 08:34:59 GMT
From: postmaster@crpoe.com
To: x
Date: Tue, 5 Jul 2005 03:34:51 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-statu
boundary="9B095B5ADSN=_01C
X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
Message-ID: <ssaX_________190b@win2kse
Subject: [MISDIRECTED BOUNCE] Delivery Status Notification (Failure)
Received-SPF: pass (srv5.hubnut.net: 127.0.0.1 is authenticated by a trusted mechanism)
Received-SPF: unknown (srv5.hubnut.net: error in processing during lookup of postmaster@win2kserver.crp
X-HubNut-MailScanner: Found to be clean, Found to be clean
X-Spam-Prev-Subject: Delivery Status Notification (Failure)
X-HubNut-MailScanner-Infor
X-MailScanner-From: spamtrap@wildandlye.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4
X-Spam-Level: *************************
________________
FYI,
Based on multiple reports from myNetWatchman users, we believe that the
following host is compromised or infected:
Source IP: XXX.XX.XX.XXX
Time Zone: UTC
Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
EventRecord: 3 Jul 2005 07:55:20, 207.81.x.x, 6, 139, NETBIOS Session Service , 1071, 1
EventRecord: 3 Jul 2005 07:48:16, 207.81.x.x, 6, 139, NETBIOS Session Service , 1247, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3847, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3848, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3845, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3846, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3844, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3831, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service , 3826, 1
__________________________
I've turned off NDR's on my Exchange 2k box but do not see how to do it for the 2K3 box running the built-in exchange that come with the enterprise edition.
Also, is there more that I can do to resolve this?
Here is a sample of my SMTP log. Looks fishy to me.
00:00:08 218.64.100.236 HELO - 250
00:00:35 218.64.100.236 MAIL - 250
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 EHLO - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 MAIL - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 RCPT - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 DATA - 0
00:00:52 65.161.23.59 - - 0
00:00:57 65.161.23.59 - - 0
00:00:57 65.161.23.59 QUIT - 0
00:00:57 65.161.23.59 - - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 EHLO - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 MAIL - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 RCPT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 RSET - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 QUIT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 218.64.100.236 HELO - 250
00:02:12 218.64.100.236 MAIL - 250
00:02:13 218.64.100.236 RCPT - 250
00:02:18 218.64.100.236 RCPT - 250
00:02:19 218.64.100.236 RCPT - 250
00:02:20 218.64.100.236 RCPT - 250
00:02:22 218.64.100.236 RCPT - 250
00:02:23 218.64.100.236 RCPT - 250
00:02:26 218.64.100.236 DATA - 250
00:02:26 218.64.100.236 QUIT - 240
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 EHLO - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 MAIL - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RCPT - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RSET - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 QUIT - 0
00:02:31 216.200.145.51 - - 0
if you think it's an internal machine doing damage, then you need to make sure that no other desktop, especially the one you think is infected, can make an SMTP connection to your Exchange server. At the cmd prompt, run netstat -a and see who's connecting to SMTP (port 25). If it's a workstation that should be using an Outlook MAPI profile, then there should be no port 25 connection...most of the time. A virus would cause many connectionos to be made from 1 IP address.
ASKER
Thing is, there are no other PCs in this server room or in this buliding. In other words, there are no internal machines. It's just two servers alone in a room, connected to the world via a router and RR cable. There aren't more than 10 mailboxes between the two servers.
If the outside world can see port 135 then you have a problem. How is the router configured? Do you have port 135 open to allow Outlook access over the Internet?
Simon.
Simon.
ASKER
no. port 135 is not open on the router
ASKER
I DID however see that my server was set as the DMZ in the router. Could that have been it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I assume that was the issue?