Hack/attack on smtp port 25
Posted on 2004-09-22
We are a small company who try to host our own email - unfortunately we have very little experience in this area..... We have a basic email server package that handles our mail, on a Windows 2000 server.
It was working fine, but then suddenly we started getting loads of SPAM mail coming through. Using the DOS "netstat -an" command I could view that we were getting a large number of connections on port 25 - from a large number of different ip addresses. Port 25 obviously needs to be open for us to receive legitimate email, so we can't block it.
We have however blocked all other ports we do not use. This is done through the windows 2000 options.
2 things seem suspicious though:
The first is that the number of connections each minute is very high, so it is obviously not random spam email. I assume spammers have programs that connect via port 25 from various different ip addresses.
The 2nd suspicious thing I noticed is that we then have connections from unknown ip addresses, from port 25 to various unused ports on our server. I assume this is a way that people hack onto a server if the ports are blocked?
Is there anyway to identify whether connections to port 25 are genuine email connections (I suspect not....) and is there any way to restrict access to other ports once they have connected to port 25?