has my mail-server been hijacked as a spam relay?
Posted on 2008-06-24
I have a pretty worrying problem with an SBS 2003 mail server I am maintaining. I did not set it up originally and whilst I am getting to grips with the technology I am still a relative newcomer to exchange. It sends and receives mail using SMTP.
I recently setup a couple of pop3 accounts locally on a machine on the network they initially worked fine but it appears their arrival may have highlighted a more serious underlying problem. Whilst the main mailserver continues to work fine these local pop3 accounts recently stopped sending investigation revealed that the static IP address was being blocked by one of the spamhaus registers this is the message I receive:
xxx.xxx.xxx.xxx is listed in the XBL, because it appears in:
ATTENTION: This IP is infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating in a botnet.
This is the Cutwail BOT
You need to patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.
If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.
Furthermore at least two of the client machines have reported an unusually high volume of spam with a lot of the spam email subjects containing details of emails they have sent out (client names / order numbers etc) interspersed with the usual spam content. This concerned me greatly but I dont know what it is attributable to.
Ive scanned the server for Trojans using spyware doctor plus all the antivirus appears to be up to date Ive also had a look on msconfig to see if any suspicious looking programs have appeared and there is no change there. Ive also checked those two clients for key loggers etc and made sure everyone elses antivirus is up to date.
My question is: how can I tell where the problem is (on the server or one of the clients) and how can I remove it. Also how are the spam email subjects incorporating specific details of emails sent from client computers?
Many thanks in advance guys...