Solved

My server is continiously sending emails to yahoo domain addresses xxx@yahoo.com

Posted on 2006-07-05
23
612 Views
Last Modified: 2008-02-26
It started yesterday. I used Symantec and Trendmicro antivirus but I couldn't detect anything. I receive messages from Symantec email Scanner for the million outgoing emails!!! Help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
Comment
Question by:ykamp
  • 4
  • 3
  • 3
  • +8
23 Comments
 
LVL 87

Expert Comment

by:rindi
Comment Utility
What OS? Disable the SMTP service or daemon.
0
 
LVL 3

Author Comment

by:ykamp
Comment Utility
Windows 2003 SBS
0
 
LVL 3

Author Comment

by:ykamp
Comment Utility
There is no smtp service
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
In services "Simple Mail Transport Protocol"...
0
 
LVL 29

Accepted Solution

by:
mass2612 earned 100 total points
Comment Utility
This article should help you check if your server is an open relay - http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 2

Assisted Solution

by:iliecz
iliecz earned 100 total points
Comment Utility
The fact that you are using an antivirus has nothing to do with this. The antivirus won't react as long as whatever is generating the email traffic won't try to send a mail body that contains a virus signature/exploit/phising mail. More usefull in this case would be an antispam filter.

You sould follow the following steps in identifing the problem
- analyze the mails that are sent (source and destination), you can do this by looking at mail headers
 mail source inside your network range -> one of the computers inside your netowk is using the server as an open relay

mail source on the server itself -> check the server for illegal apps, user that are allowed to run applications or send
mail, ASP, PHP, or other type of scripts that can be run on your server. For example a common issue is on a linux server is to allow the user nobody to send e-mail (this allows a local script or app to send mail withouth requiering authentification).

mail source outside your network/server
 legitimate clients/accounts of your mail server that might have been abused this can be a result of not requiering password autentihication for SMTP or relying on IP filtering in order to decide who can send mail trough your server.
 and finaly but not last your server is configured to accept mail relay, if your server didn't act like this in the past check for recent modification in your configuration that might have compromise it. Usualy it dose not take very long for a server to be found as an open relay and exploited.

Please provide more details about the following:
- Server OS
- Mail software (exchange, sendmail, postfix, exim, etc.)
- what role dose your server play? (do you allow other  third parties/users to run theyr own accounts and software on your server?)
- summary description of the environment your server is running
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 100 total points
Comment Utility
Unplug the ethernet connection, until this is fixed as you may be spamming the rest of the world, and this amy result in your server being blacklisted. A couple of days of disruption will be nothing compared with the months and years of problems that will occur with emails waiting for the whole world to get your ip/email address removed from every black list.

Check whether these emails are 'replies to invalid emails'. If an email is received that  is not to a valid email address then some email setups send a reply. Unfortunately, this can end up 'multiplying' the junk emails as the original 'spam' email will normally be from a spoofed email address...so you send them an email stating that the email cannot be delivered, it is to an invalid email address, and the server there replies stating that it cannot be delivered - you get the idea.

Are these emails ads/spam? - Again this will give you an idea of what you are dealing with.

Also bear in mind that many email servers will often produce a failure report up to 8 days (sometimes more) after the problematic emails were received.

Are you receiving an similarly high level of emails? Again - important if trying to find the cause of the problem.

(   (()
(`-' _\
 ''  ''

0
 
LVL 16

Expert Comment

by:Nyaema
Comment Utility
You need to disable relaying for all internal clients and external clients
until you verify that it is not an internal spammer causing you grief.

Ensure external clients can't relay.
If you have confirmed that and are still being spammed.

disable relaying for internal clients as well.
Scan your internal users for malware.

You can use a sniffer to pinpoint the culprit
http://www.networkgeneral.com/Products_details.aspx?PrdId=20046243936754&CatId=1

How to Help Secure SMTP Client Message Delivery in Exchange 2003
http://support.microsoft.com/kb/823019/en-us
0
 
LVL 38

Assisted Solution

by:Insignificant Volunteer
Insignificant Volunteer earned 100 total points
Comment Utility
Go here and check what ports are open:
https://www.grc.com/x/ne.dll?bh0bkyd2
0
 
LVL 11

Expert Comment

by:knoxzoo
Comment Utility
You might also want to check the system with something like Ad-Aware.  In the mean time, while you're figuring this out, edit your hosts file to redirect yahoo.com to a bit bucket.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Expert Comment

by:scuthber
Comment Utility
Pause the default smtp virtual server in exchange system manager (under server, protocols smtp). If you stop it you can't see the queues. Delete (no NDR) everything in the queues (say sorry to everyone, you'll maybe have to send your email again). Appply KB835734 patch from http://support.microsoft.com/?id=835734 "Many unexpected outbound e-mail messages appear in the SMTP queue in Small Business Server 2003" and hopefully this will not happen again.

0
 
LVL 3

Author Comment

by:ykamp
Comment Utility
Yesterday on the email accounts was banned by the ISP SMTP for Spamming. Nothing appears on the workstation. No virus . My sniffers says that the source of the emails is my server and not the workstation. My Symantec antivirus on the server  scans hundreds of outgoing emails. This how I detected the problem. Also is really strange that all emails are send to yahoo.com accounts
0
 
LVL 29

Expert Comment

by:mass2612
Comment Utility
Have you check is your server is an open relay?

"An open relay, also known as third-party relay, is an email server that allows anyone on the Internet to connect to it and send email. For example, 'Joe User', dialled in through 'Big ISP' can connect to the open relay and send his email to any destination he chooses. This abuse is popular with spammers"

http://info.aol.co.uk/about/spam/openrelay.adp
0
 
LVL 3

Author Comment

by:ykamp
Comment Utility
I don't have an internal email server. I managed to discard all the trush traffic with a statement on the outbound access group. SMTP packets from 6500 to 50 per minute.It seems to work but I haven't detect yet why this is happening.
0
 
LVL 87

Expert Comment

by:rindi
Comment Utility
If you don't have an internal email server, just disable smtp like I mentioned earlier, if you do need it, then secure it.
0
 
LVL 12

Assisted Solution

by:GinEric
GinEric earned 100 total points
Comment Utility
He didn't say where his server is, is it hosted or on site?  Nor which server software.

There are a few known infections and root kits that do this, among them, spykidz bots from IRC.  You can also click on a certain site, or anyone can visit it, and it will infect your machine via the temporary folders which allows execute permissions.  Generall, either vudo.c or a.bat will be placed in some temp folder and from there your machine will be broken into and hijacked.

This occurs both in Linux and Windows.  And because the email is generated by the rootkit, it doesn't care about smtp, it will send email even on the http port, 80, or any port it finds open.

The yahoo direction is a well known favorite of hackers, especially one who has a grudge with them.  His tack was to try and flood yahoo with spam emails, a sort of denial of service attack in which yahoo was receiving billions of emails from millions of machines around the world.  And, the machine does not have to be a server!  It can be any machine on your network.

The first thing you need to do is to check all of your machines, especially the temp folders and, if Windows, the temporary Internet files and other storage places under the user's account directories on each machine.  Once the software is inside your network and on some machine, there is little hope of an antivirus catching it because it runs as a legitimate program under either the  browser or the web server.

It's a fact that some site at snupigood.com was doing this through the graphics directory.  The site was in Canada, right before it got caught up in the Yahoo and Google and MySpace scandal that it helped create and propogate, now it's home in Russia.  Turns out it was an international crime ring that was up to no good, you may have heard they got caught, along with one deputy director of homeland security.

Believe it, you can get infected by merely visiting a website.

And there is at least one IRC centered in New Jersey that has members propogating their version of owning a box.  They were caught too.

You need to thoroughly examine all of your machines, and, perhaps, find out if any are rootkit'ed, hacked, infected, or owned.  Try looking for a.bat, or any files ending in .pl [the vudo.c favorite], and inspect all temporary folders.  You should document what you find too.

Good Luck!
0
 
LVL 4

Expert Comment

by:johanvz1
Comment Utility
Hi,

Good place to start run sniffer on your network to see where all the smpt traffic is being generated but as the others say perhaps disconnect ur mail server before doing this and getting the problem resolved as being blacklisted wont amke your live any easier and it takes ages.

Then when you have your mail server disconnected from the network run the sniffer and see if there is still SMTP broadcasting occuring this way at least you will be isolating the problem. And that will help in troubleshooting.

Once you ahve the problem isolated and you know which system it is scan for viruses make sure you ahve the latest updates installed perhaps use something liek Stinger as well. And also before scanning make sure the system restore option is disabled on your system as viruses many times hide themselves in there and to disable system restore:

Right Click my computer>Properties>System Restore:Turn off System Restore

Scan and remove the anomoly and then re-enable the system restore option.

Kind Regards,

Johan
0
 
LVL 11

Expert Comment

by:knoxzoo
Comment Utility
Run Ad-Aware.  It'll catch most of these things and eliminate them, assuming it's malware, which it certainly seems to be.
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
I think GinEric has made the most important observation so far, ie. many malicious activities like this won't use smtp, they will use their own transmission protocol.  That was my reason for suggesting a visit to Steve Gibson's "Shields Up" page to test what ports are open.

Further to GinEric's example of an "IRC Bot" like "spykidz", you will find a couple of commands that you can use to specifically test port status for known IRC Bot activity.
These document is worth reading:

http://www.grc.com/dos/drdos.htm
http://www.grc.com/files/drdos.pdf

http://www.grc.com/dos/grcdos.htm
http://www.grc.com/files/grcdos.pdf

Extract from that 2nd page by Steve Gibson:

>>>
All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
 
TCP   192.168.1.101:1026   70.13.215.89:6667  ESTABLISHED

 . . . then the only question remaining is how quickly you can disconnect your PC from the Internet!

A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
 
TCP     0.0.0.0:113     0.0.0.0:0     LISTENING

 . . . then it's probably time to pull the plug on your cable-modem!
<<<
0
 
LVL 38

Expert Comment

by:Insignificant Volunteer
Comment Utility
Thank you rindi and CetusMOD
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now