fusioninternet
asked on
Server being used to send spam
Hi Experts,
It's been reported that our web server has been sending out spam. On checking the logs i can see that a considerable amount of emails have been sent using the mailenable smtp service.
On looking at the logs the emails being sent are coming from 127.0.0.1 which is an allowed relay address so that our websites can send out mail.
Is there anyway that I can trace or detect what is sending out the email. I've run a couple of virus scanners and Malwarebytes and so far nothing has detected anything that shouldn't be there.
So far I've not seen a pattern in when the emails so any suggestions of how i could possibly detect when there is sudden increase of outgoing messages.
It's been reported that our web server has been sending out spam. On checking the logs i can see that a considerable amount of emails have been sent using the mailenable smtp service.
On looking at the logs the emails being sent are coming from 127.0.0.1 which is an allowed relay address so that our websites can send out mail.
Is there anyway that I can trace or detect what is sending out the email. I've run a couple of virus scanners and Malwarebytes and so far nothing has detected anything that shouldn't be there.
So far I've not seen a pattern in when the emails so any suggestions of how i could possibly detect when there is sudden increase of outgoing messages.
ASKER
Hi thanks for reply, the server is a dedicated webserver so there are no other computers connected to it via the network.
I will try the netstat approach and look into Packet Shaper.
Steve
I will try the netstat approach and look into Packet Shaper.
Steve
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
If you do not have too many computers, just go to each, command line, netstat -b and find out what apps are using which port. I think you will find some very strange usage on the infected computer on the 25 or 587 ports, maybe others.
Good luck!
mug