?
Solved

Help! Sending spam from network!

Posted on 2007-10-13
8
Medium Priority
?
5,565 Views
Last Modified: 2013-12-09
I have a client who continues to get blacklisted. Their ISP is getting complaints that spam is originating from their IP. I have scanned all computers on the network and the server with nultiple AV and spyware scanners to no avail. I have followed all suggestions in the excellent article at http://www.amset.info/exchange/spam-cleanup.asp by Sembee. There is nothing in the queues when I delay delivery. The only thing I am seeing is firewall logs that tell me there is outgoing traffic TCP from the internal IP of my server on random ports to WAN IPs on port 80. Is it possible this spam is coming from my server to port 80? If so how do I find what is doing it and how do I stop it?
0
Comment
Question by:nextdigital
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20072565
Do you send email out via a smart host? If so then you will not see the messages in the queues. You will have to turn that off to see if the server is being abused. The most common reason though is a workstation is being abused and blocking port 25 on the firewall will show which client that is.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
LVL 5

Expert Comment

by:tkfast
ID: 20072843
I know this is crazy but it is common for isp's to not read the headers to a message right first have the isp send you the headers of one of the messages they are having problems with this will give us some more info of timestamps and other valuable info that we can use to track it down.  Please post the headers of look them over and see if it is actualy an ip of one of your locations before you stress your self out we can find it it just take a little info first.
0
 

Author Comment

by:nextdigital
ID: 20079431
Thanks for the suggestions guys. The email is not coming out of port 25. It's definately coming from the server and destined for port 80. The headers from the ISP show my WAN IP and and Reverse DNS entry.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 5

Expert Comment

by:tkfast
ID: 20079515
You might stop IIS and see if it continues IIS is known for not problems, make sure you update your system...
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20080885
If the traffic is going to port 80 then that would tend to indicate the machine has been compromised. If you have port 80 open to the internet then that was probably the start of the problem.
As already suggested, stop IIS and see if something is still responding on port 80, but I am afraid that the only sure fire way to remove any compromise is to wipe the system. Updating the server, scanning for viruses etc is useless - like changing the locks after the thief is inside. You have to wipe the machine to get rid of it.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 

Author Comment

by:nextdigital
ID: 20086062
On further examination, the traffic coming from the server on port 80 was legitimate. However it appears that there is a computer on the network that is sending traffic from a random port to WAN IPs on port 110. There should be no POP whatsoever on the network. Could this be my spammer?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20086761
Port 110 is POP3 server, so that could be something looking for a POP3 server to attack. It wouldn't be sending the messages out. The only way that messages go out and be delivered is on port 25 as that is what SMTP uses.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 20206182
Type "netstat -ab" on your server to see what connections are open, and by which program. Do the same on any other suspect PC.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Among the most obnoxious of Exchange errors is error 1216 – Attached Database Mismatch error of the Jet Database Engine. When faced with this error, users may have to suffer from mailbox inaccessibility and in worst situations, permanent data loss.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question