Link to home
Start Free TrialLog in
Avatar of Starr Duskk
Starr DuskkFlag for United States of America

asked on

Mail Server Being Hammered

We have kind of a 2-part problem.

Our Mail Server is being hammered. We have a hardware and software firewall. The Merak Mail server is setup Closed Relay and all the Security settings are very tight. The boxes are checked to pretty much close everything off.

Closed Relay
Pop before SMTP 5 mins. (tried with this off, with no improvement)
reject if originator's domain is local and not authenticated
use dnsbl to spamcop and the checkboxes on that screen
intrusion prevention: all are checked
advanced: top 3 are checked and deny telnet access checked
So you see it is tightly locked up in the mailserver.
We have our other network IP's added to the bypass IP list so we can get through.

In our Traffic Chart, for SMTP Connections for 1 day, we are getting over 260,000 total, Peak 3286, and Average: 908. Yesterday the total was 125,242, so you can see it has doubled in 24 hours and growing as I type.

We can't survive under that kind of hitting. The mail is of course not going out, as it is all setup for authentication, but none-the-less it is hitting us with the connections and trying to go out.

We only have 24 accounts using the mail server. The spamming is not coming from our users because we are our users. We don't have users. We also checked each of our 5 computers for viruses to make sure there were no bots using our computers to spam, and there are no viruses.

I checked some of the IP's in the sessions and they are from china, switzerland, russia and various countries that are notorious for spamming and hacking; not our machines (as one tech charged us $95 to tell us it was due to spam bots on our pcs, which it is not, sigh.)

Part 2:

Also, in conjunction with this problem, aside from it slowing down our webserver (which is on the same box) and our websites are very slow with all the hits (about 15-30 secs to load a page that was instantaneous), now we also noticed this afternoon that we can no longer receive our own mails from our Outlook. It gives an error that it can't connect to our Pop3 email server.

We're suspecting that the hits on our server are so great that it just can't handle our Pop3/smtp connections via Outlook and so gives up and commits suicide. I checked the mail in the mailboxes on the mail server and they are all small and only a handful there (I know sometimes you can hang up your mail server by a really huge file sitting there trying to download, but this is not the case).

We also shut down both firewalls and all the security on the mail server and still could not get the mail to work in checking mail in Outlook (on 5 computers and with reboots on them and the server).

We are using Merak Mail 9.1.1, IIS 6, Windows 2000 web server. We use Xywall hardware firewall and Black Ice Software firewall. It has been a very robust website up until this last week when we started getting all these hits.

Is there something we can do in our mail server or firewalls to block this traffic? We have looked into using port 587 instead of port 25 (as this $95 tech told us), but after reading up on it, it would appear that we might add more problems by being unable to receive smtp mail from our mail servers. And since we use authentication, that shouldn't be an issue. Maybe.

Any suggestions?

Please help.
Avatar of manu4u
Flag of United Arab Emirates image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Starr Duskk



Our pc's are not on the same network as our webserver. They are totally separate.

Also, we already shut down our pc's one at a time and then left them off for several hours to see if one of them had a bot that was spamming. This was not an issue. We did a virus check on all pc's as well to see if there were any bots or viruses. None.

>>If you are 100 % sure that it is not from your LAN, then you should try blocking those Suspected IPs in your FIREWALL , so that those wont reach your Email Server.

Yes, I am 100% sure it is not from my PC's. All have been shut off with no let up on the hits.

Are you saying "suspected IPs" based on what I ascertained from using Ethereal sniffer to figure out an IP that is hitting constantly, nonstop?

I do note a constant session activity in the mailserver, and those sessions are from many other countries. And I've blocked hundreds of those, but hundreds more keep coming.

I can check out Ethereal as well and see what it can do for me in searching for answers.

If you dont have a Front-End scenario or SPAM filter , then you should think of adding OPEN RELAY DATABASES or DNS BLACK LISTS .. .  So that you dont need to worry about adding 100s of IPs ... etc site might help you ...
yes, we do have dnsbl turned on, as mentioned in my original post.

i'll give it a shot. but I need help with it. there's another open question if you can help with it.