Solved

Lotus domino server bombarded by junk emails

Posted on 2007-04-10
11
1,338 Views
Last Modified: 2013-12-18
i really need a solution to some problem  that i am facing since yesterday.
Our server is being bombarded by emails, spam and junk emails. Ever second there are lots of emails comings. I dont know where they are coming from. I changed the configuration a bit and it is not working at all.
When i loook at the server console, the mails are not coming from outside coz i dont see mails being transeffed from outside hosts. Ofcourse the server does get connected to some external hosts but no mails are received.

I am attaching below a typical message log:

04/10/2007 05:12:43 PM  Router: Transferring mail to domain AMQA.COM (host m1.dnsix.COM [63.251.83.84]) via SMTP
04/10/2007 05:12:43 PM  Router: No messages transferred to CRSTUDIO.IT (host mx.CRSTUDIO.IT) via SMTP
04/10/2007 05:12:43 PM  Router: Transferring mail to domain WE-HELP-U.BIZ (host WE-HELP-U.BIZ [12.129.178.28]) via SMTP
04/10/2007 05:12:43 PM  SMTP Server: 65.75.169.7 connected
04/10/2007 05:12:43 PM  Router: No messages transferred to WE-HELP-U.BIZ (host WE-HELP-U.BIZ) via SMTP
04/10/2007 05:12:43 PM  Router: No messages transferred to AMQA.COM (host m1.dnsix.COM) via SMTP
04/10/2007 05:12:43 PM  Router: Message 0061AC80 not routed to recipient adan65@t-online.de for policy reasons
04/10/2007 05:12:43 PM  Router: Policy Reason: Router: waehgpozon@cnkcs.net is restricted from sending mail through server SMTP/MOIC
04/10/2007 05:12:43 PM  Router: Message 0061AC80 not routed to recipient acheck@t-online.de for policy reasons
04/10/2007 05:12:43 PM  Router: Policy Reason: Router: waehgpozon@cnkcs.net is restricted from sending mail through server SMTP/MOIC
04/10/2007 05:12:43 PM  Router: Message 0061AC80 not routed to recipient adamgj@t-online.de for policy reasons
04/10/2007 05:12:43 PM  Router: Policy Reason: Router: waehgpozon@cnkcs.net is restricted from sending mail through server SMTP/MOIC
04/10/2007 05:12:43 PM  Router: Message 0061AC80 not routed to recipient ackerth.feg@t-online.de for policy reasons
04/10/2007 05:12:43 PM  Router: Policy Reason: Router: waehgpozon@cnkcs.net is restricted from sending mail through server SMTP/MOIC
04/10/2007 05:12:44 PM  SMTP Server: 65.75.169.7 disconnected. 0 message[s] received
04/10/2007 05:12:44 PM  Router: Message 0061AC80 not routed to recipient adie_reid@t-online.de for policy reasons
04/10/2007 05:12:44 PM  Router: Policy Reason: Router: waehgpozon@cnkcs.net is restricted from sending mail through server SMTP/MOIC
04/10/2007 05:12:44 PM  Router: Transferring mail to domain COMENCO.COM (host mx1c9.megamailservers.COM [69.156.240.34]) via SMTP
04/10/2007 05:12:45 PM  SMTP Server: 65.75.169.7 connected


I have no clue. I do think that somehow some program is trying to relay the message outside but is not allowed so it gets accumulated in the mail.box of our server.
The accumulation is very fast, i.e. in less than a seconds there are more than 10 entries in the mail box. It started from yesterday and yesterday in around 6 hours there was 200,000 undelivered messages in the mail box.

We are running lotus domino 6.5.1 on windows 2003 platfrom.

Thanks so much.

Suman gurung
0
Comment
Question by:sumangurung
11 Comments
 
LVL 46

Accepted Solution

by:
Sjef Bosman earned 125 total points
ID: 18881593
You server might be an "open relay", accepting messages from the Internet to forward them to the Internet again. Spammers are always looking for open relay servers. To find out, use
   http://www.abuse.net/relay.html

To block this, you have to modify the Configuration document, disallowing everything that wants to be relayed from-to the Internet.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 18881615
0
 

Author Comment

by:sumangurung
ID: 18882066
Thanks for your suggestions.
Relay is prohibited from our server. You can test it, our server is smtp.moic.gov.bt.
I thnk because relaying is not allowed, the mails are getting stored in the mail.box at an alarming rate.  I just checked the mail details from the mail.box and it said that "restricted from relaying through the server".
The weird thing is i dont see much connecting host from the server console. The messages on the console are the one that i posted earlier. What do you think could have caused this?

Thanks
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 125 total points
ID: 18882769
I would consider instaling an anti-spam program either on the server or an appliance in front of it, to protect it from SPAM.

Also have your network person do a TCPIP packet trace to see where the emails are arriving from.

I hope this helps !
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 18882883
The trace could indeed tell you whether an inside person has an infected PC.

Is this server the only mail server in your organization, or do you also have Exchange servers (or other) that route their mail through the Domino server?
0
 

Author Comment

by:sumangurung
ID: 18887465
Installing an anti spam program is not possible at this time although it is an excellent idea. I would like to do the packet trace. I wonder how it is done. Can anyone tell me?

This is the only mail server in the organization.

Thanks,
Suman Gurung
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 18887906
0
 
LVL 18

Assisted Solution

by:marilyng
marilyng earned 125 total points
ID: 18888590
kspam (openntf.org) is free and quite good, I used it.   If it's not external relays, then  it's probably an infected computer or server.   Or, people are reading their home mail on their company PC's, and that is spawning mail being dropped onto port 25.
0
 
LVL 1

Assisted Solution

by:sedentary
sedentary earned 125 total points
ID: 18897802
Along with the really good suggestions in this forum, below I have added a few more suggestions you might consider and may find useful:
1. For mail that piles up in the mail.boxes:
Mail Box Cleaner is a scheduled agent that deletes all dead mail from server mail boxes on a regular basis. http://www-10.lotus.com/ldd/sandbox.nsf/ByDateNJ/fb66d28b53ee64c085256dbf00516d97?OpenDocument
2. enable the DNS blacklist filters
3. Examine the smtp headers of one of the messages coming in and list the ip under the inbound setting ---> Deny messages from the following internet addresses/domains:  

4. I didn't see any reference to the AV software you have enabled on your server but most have spam filter capability although it may be an extra license cost but it maybe a less costly way to help with the spam problem.

Hope this helps
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

This is an old article, please see an updated version of this article, located here: http://www.experts-exchange.com/articles/23619/Notes-8-5x-Windows-7-Notes-info-and-tips.html
I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now