Solved

My server is continiously sending emails to yahoo domain addresses xxx@yahoo.com

Posted on 2006-07-05
23
638 Views
Last Modified: 2008-02-26
It started yesterday. I used Symantec and Trendmicro antivirus but I couldn't detect anything. I receive messages from Symantec email Scanner for the million outgoing emails!!! Help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
0
Comment
Question by:ykamp
  • 4
  • 3
  • 3
  • +8
23 Comments
 
LVL 88

Expert Comment

by:rindi
ID: 17041609
What OS? Disable the SMTP service or daemon.
0
 
LVL 3

Author Comment

by:ykamp
ID: 17041643
Windows 2003 SBS
0
 
LVL 3

Author Comment

by:ykamp
ID: 17041666
There is no smtp service
0
Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

 
LVL 88

Expert Comment

by:rindi
ID: 17041835
In services "Simple Mail Transport Protocol"...
0
 
LVL 29

Accepted Solution

by:
mass2612 earned 100 total points
ID: 17041886
This article should help you check if your server is an open relay - http://www.amset.info/exchange/spam-cleanup.asp
0
 
LVL 2

Assisted Solution

by:iliecz
iliecz earned 100 total points
ID: 17042358
The fact that you are using an antivirus has nothing to do with this. The antivirus won't react as long as whatever is generating the email traffic won't try to send a mail body that contains a virus signature/exploit/phising mail. More usefull in this case would be an antispam filter.

You sould follow the following steps in identifing the problem
- analyze the mails that are sent (source and destination), you can do this by looking at mail headers
 mail source inside your network range -> one of the computers inside your netowk is using the server as an open relay

mail source on the server itself -> check the server for illegal apps, user that are allowed to run applications or send
mail, ASP, PHP, or other type of scripts that can be run on your server. For example a common issue is on a linux server is to allow the user nobody to send e-mail (this allows a local script or app to send mail withouth requiering authentification).

mail source outside your network/server
 legitimate clients/accounts of your mail server that might have been abused this can be a result of not requiering password autentihication for SMTP or relying on IP filtering in order to decide who can send mail trough your server.
 and finaly but not last your server is configured to accept mail relay, if your server didn't act like this in the past check for recent modification in your configuration that might have compromise it. Usualy it dose not take very long for a server to be found as an open relay and exploited.

Please provide more details about the following:
- Server OS
- Mail software (exchange, sendmail, postfix, exim, etc.)
- what role dose your server play? (do you allow other  third parties/users to run theyr own accounts and software on your server?)
- summary description of the environment your server is running
0
 
LVL 22

Assisted Solution

by:pjedmond
pjedmond earned 100 total points
ID: 17042671
Unplug the ethernet connection, until this is fixed as you may be spamming the rest of the world, and this amy result in your server being blacklisted. A couple of days of disruption will be nothing compared with the months and years of problems that will occur with emails waiting for the whole world to get your ip/email address removed from every black list.

Check whether these emails are 'replies to invalid emails'. If an email is received that  is not to a valid email address then some email setups send a reply. Unfortunately, this can end up 'multiplying' the junk emails as the original 'spam' email will normally be from a spoofed email address...so you send them an email stating that the email cannot be delivered, it is to an invalid email address, and the server there replies stating that it cannot be delivered - you get the idea.

Are these emails ads/spam? - Again this will give you an idea of what you are dealing with.

Also bear in mind that many email servers will often produce a failure report up to 8 days (sometimes more) after the problematic emails were received.

Are you receiving an similarly high level of emails? Again - important if trying to find the cause of the problem.

(   (()
(`-' _\
 ''  ''

0
 
LVL 16

Expert Comment

by:Nyaema
ID: 17043180
You need to disable relaying for all internal clients and external clients
until you verify that it is not an internal spammer causing you grief.

Ensure external clients can't relay.
If you have confirmed that and are still being spammed.

disable relaying for internal clients as well.
Scan your internal users for malware.

You can use a sniffer to pinpoint the culprit
http://www.networkgeneral.com/Products_details.aspx?PrdId=20046243936754&CatId=1

How to Help Secure SMTP Client Message Delivery in Exchange 2003
http://support.microsoft.com/kb/823019/en-us
0
 
LVL 38

Assisted Solution

by:BillDL
BillDL earned 100 total points
ID: 17046301
Go here and check what ports are open:
https://www.grc.com/x/ne.dll?bh0bkyd2
0
 
LVL 11

Expert Comment

by:knoxzoo
ID: 17046867
You might also want to check the system with something like Ad-Aware.  In the mean time, while you're figuring this out, edit your hosts file to redirect yahoo.com to a bit bucket.
0
 
LVL 5

Expert Comment

by:scuthber
ID: 17048803
Pause the default smtp virtual server in exchange system manager (under server, protocols smtp). If you stop it you can't see the queues. Delete (no NDR) everything in the queues (say sorry to everyone, you'll maybe have to send your email again). Appply KB835734 patch from http://support.microsoft.com/?id=835734 "Many unexpected outbound e-mail messages appear in the SMTP queue in Small Business Server 2003" and hopefully this will not happen again.

0
 
LVL 3

Author Comment

by:ykamp
ID: 17049105
Yesterday on the email accounts was banned by the ISP SMTP for Spamming. Nothing appears on the workstation. No virus . My sniffers says that the source of the emails is my server and not the workstation. My Symantec antivirus on the server  scans hundreds of outgoing emails. This how I detected the problem. Also is really strange that all emails are send to yahoo.com accounts
0
 
LVL 29

Expert Comment

by:mass2612
ID: 17049117
Have you check is your server is an open relay?

"An open relay, also known as third-party relay, is an email server that allows anyone on the Internet to connect to it and send email. For example, 'Joe User', dialled in through 'Big ISP' can connect to the open relay and send his email to any destination he chooses. This abuse is popular with spammers"

http://info.aol.co.uk/about/spam/openrelay.adp
0
 
LVL 3

Author Comment

by:ykamp
ID: 17049461
I don't have an internal email server. I managed to discard all the trush traffic with a statement on the outbound access group. SMTP packets from 6500 to 50 per minute.It seems to work but I haven't detect yet why this is happening.
0
 
LVL 88

Expert Comment

by:rindi
ID: 17049485
If you don't have an internal email server, just disable smtp like I mentioned earlier, if you do need it, then secure it.
0
 
LVL 12

Assisted Solution

by:GinEric
GinEric earned 100 total points
ID: 17050346
He didn't say where his server is, is it hosted or on site?  Nor which server software.

There are a few known infections and root kits that do this, among them, spykidz bots from IRC.  You can also click on a certain site, or anyone can visit it, and it will infect your machine via the temporary folders which allows execute permissions.  Generall, either vudo.c or a.bat will be placed in some temp folder and from there your machine will be broken into and hijacked.

This occurs both in Linux and Windows.  And because the email is generated by the rootkit, it doesn't care about smtp, it will send email even on the http port, 80, or any port it finds open.

The yahoo direction is a well known favorite of hackers, especially one who has a grudge with them.  His tack was to try and flood yahoo with spam emails, a sort of denial of service attack in which yahoo was receiving billions of emails from millions of machines around the world.  And, the machine does not have to be a server!  It can be any machine on your network.

The first thing you need to do is to check all of your machines, especially the temp folders and, if Windows, the temporary Internet files and other storage places under the user's account directories on each machine.  Once the software is inside your network and on some machine, there is little hope of an antivirus catching it because it runs as a legitimate program under either the  browser or the web server.

It's a fact that some site at snupigood.com was doing this through the graphics directory.  The site was in Canada, right before it got caught up in the Yahoo and Google and MySpace scandal that it helped create and propogate, now it's home in Russia.  Turns out it was an international crime ring that was up to no good, you may have heard they got caught, along with one deputy director of homeland security.

Believe it, you can get infected by merely visiting a website.

And there is at least one IRC centered in New Jersey that has members propogating their version of owning a box.  They were caught too.

You need to thoroughly examine all of your machines, and, perhaps, find out if any are rootkit'ed, hacked, infected, or owned.  Try looking for a.bat, or any files ending in .pl [the vudo.c favorite], and inspect all temporary folders.  You should document what you find too.

Good Luck!
0
 
LVL 4

Expert Comment

by:johanvz1
ID: 17051187
Hi,

Good place to start run sniffer on your network to see where all the smpt traffic is being generated but as the others say perhaps disconnect ur mail server before doing this and getting the problem resolved as being blacklisted wont amke your live any easier and it takes ages.

Then when you have your mail server disconnected from the network run the sniffer and see if there is still SMTP broadcasting occuring this way at least you will be isolating the problem. And that will help in troubleshooting.

Once you ahve the problem isolated and you know which system it is scan for viruses make sure you ahve the latest updates installed perhaps use something liek Stinger as well. And also before scanning make sure the system restore option is disabled on your system as viruses many times hide themselves in there and to disable system restore:

Right Click my computer>Properties>System Restore:Turn off System Restore

Scan and remove the anomoly and then re-enable the system restore option.

Kind Regards,

Johan
0
 
LVL 11

Expert Comment

by:knoxzoo
ID: 17052166
Run Ad-Aware.  It'll catch most of these things and eliminate them, assuming it's malware, which it certainly seems to be.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 17054117
I think GinEric has made the most important observation so far, ie. many malicious activities like this won't use smtp, they will use their own transmission protocol.  That was my reason for suggesting a visit to Steve Gibson's "Shields Up" page to test what ports are open.

Further to GinEric's example of an "IRC Bot" like "spykidz", you will find a couple of commands that you can use to specifically test port status for known IRC Bot activity.
These document is worth reading:

http://www.grc.com/dos/drdos.htm
http://www.grc.com/files/drdos.pdf

http://www.grc.com/dos/grcdos.htm
http://www.grc.com/files/grcdos.pdf

Extract from that 2nd page by Steve Gibson:

>>>
All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
 
TCP   192.168.1.101:1026   70.13.215.89:6667  ESTABLISHED

 . . . then the only question remaining is how quickly you can disconnect your PC from the Internet!

A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
 
TCP     0.0.0.0:113     0.0.0.0:0     LISTENING

 . . . then it's probably time to pull the plug on your cable-modem!
<<<
0
 
LVL 38

Expert Comment

by:BillDL
ID: 17256639
Thank you rindi and CetusMOD
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
strange occurence with windows 11 147
Changing names of Physical Servers 1 48
Windows 8 - Second Application Launching 2 41
how to configure linux OS using Ubuntu 7 40
Introduction Often we come across situations wherein our batch files would be needing to reboot Windows for a variety of reasons. A few of them would be like: (1) Setup files have been updated whose changes can take effect only after a reboot …
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question