Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hack/attack on smtp port 25

Posted on 2004-09-22
6
Medium Priority
?
3,279 Views
Last Modified: 2012-05-05
We are a small company who try to host our own email - unfortunately we have very little experience in this area..... We have a basic email server package that handles our mail, on a Windows 2000 server.

It was working fine, but then suddenly we started getting loads of SPAM mail coming through. Using the DOS "netstat -an" command I could view that we were getting a large number of connections on port 25 - from a large number of different ip addresses. Port 25 obviously needs to be open for us to receive legitimate email, so we can't block it.
We have however blocked all other ports we do not use. This is done through the windows 2000 options.

2 things seem suspicious though:
The first is that the number of connections each minute is very high, so it is obviously not random spam email. I assume spammers have programs that connect via port 25 from various different ip addresses.

The 2nd suspicious thing I noticed is that we then have connections from unknown ip addresses, from port 25 to various unused ports on our server. I assume this is a way that people hack onto a server if the ports are blocked?

Is there anyway to identify whether connections to port 25 are genuine email connections (I suspect not....) and is there any way to restrict access to other ports once they have connected to port 25?

Thanks
Chris
0
Comment
Question by:chrishorak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12127662
> The 2nd suspicious thing I noticed is that we then have connections from unknown ip addresses, from port 25 to various
> unused ports on our server. I assume this is a way that people hack onto a server if the ports are blocked?

These may very likely indicate that your server, in addition to receiving lots of spam for *you*, is also an "open relay" and is being used to forward spam to the rest of the world.

You haven't specified what email server software you run, but search online for instructions on how to configure it to restrict relaying -- hopefully before you get blacklisted as a friend of spammers.

0
 

Author Comment

by:chrishorak
ID: 12131675
Email relaying is turned off in our email server software (True North Internet Anywhere Email Server - ver. 3), but I assume that the hackers have got through a back door.... Unfortunately we have an old version and don't have the money to do an upgrade at the moment. They don't support old versions.

I can see various ip addresses that appear to be relaying the mail but these originate from all over the world. I have blocked some of them by using "route add" to redirect them to an invalid ip address, which works, but unfortunately they keep coming in with new ip addresses!

Is there any way to stop smtp relaying from within Windows 2000 Server, without relying on the setting of the email software?
0
 

Author Comment

by:chrishorak
ID: 12133363
True North provide a 30 day eval copy of their new server which we have installed. This appears to have solved the problem as it automatically adds ip addresses to a list of denial of service attacks. I think I have convinced management to buy the new version!
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12150112
> Is there anyway to identify whether connections to port 25 are genuine email connections

95% Yes - this is called grey-listing.  In essence, the first SMTP session is ignored (this takes care of 99% of spammers, as they just send send send and don't care about server acknowledgements), but subsequent sessions from the same IP address are accepted, as they are most likely to be mail retransmits from legitimate servers.

http://projects.puremagic.com/greylisting/

Of course, there will always be unwanted mails that manage to get through, somehow.

Another thing to consider is viral infection.  There are plenty of worms that will try and propagate on port 25, so make sure you're locked down and fully patched.  MSBA works well for this:

http://projects.puremagic.com/greylisting/
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 16155986
PAQed with points (250) refunded

DarthMod
Community Support Moderator
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question