SMTP Open Relay being used to send spam
Posted on 2006-05-13
I'm running Win Server 2k3 standard. I enabled the built in POP3 service for one email account.
Yeserday morning I noticed a tremendous amount of unexplained traffic going to and from my server. Using Ethereal I was able to determine that my server was being used to relay spam.
I closed smtp ports on my firewall, but then I realized my server was sending out NBNS and DNS queries for various domains.
I stoped the smtp service, but this did not end the queries so I rebooted the server. This helped, but the server was still sending NBNS queries for various domains. I ended up disabling both LAN connections for the time being. I let the server sit overnight and in the morning enabled both LAN connections and noticed that it was no longer sending DNS or NBNS queries, only broadcast traffic for local host and the sort.
At this point I moved to configure the SMTP Virtual Server as follows:
Default SMTP Virtual Server > Properties > Access > Relay restrictions = Only the list below (IP address of one local host)
Default SMTP Virtual Server > Properties > Access > Access Control = Integrated Windows Authentication
Default SMTP Virtual Server > Properties > Access > Connection Control = Only the list below (IP address of one local host)
then opened smtp port on the firewall
This helped quite a bit, but I still see attempts to establish a TCP connection on port 25 from various ip addresses.
Does anyone have any advise on some alternatives I could configure my SMTP virtual server because now I cannot receive emails from external domains.
Thank you in advance.