Solved

has my mail-server been hijacked as a spam relay?

Posted on 2008-06-24
13
1,094 Views
Last Modified: 2013-12-04
I have a pretty worrying problem with an SBS 2003 mail server I am maintaining. I did not set it up originally and whilst I am getting to grips with the technology I am still a relative newcomer to exchange. It sends and receives mail using SMTP.

I recently setup a couple of pop3 accounts locally on a machine on the network  they initially worked fine but it appears their arrival may have highlighted a more serious underlying problem. Whilst the main mailserver continues to work fine these local pop3 accounts recently stopped sending  investigation revealed that the static IP address was being blocked by one of the spamhaus registers  this is the message I receive:

xxx.xxx.xxx.xxx is listed in the XBL, because it appears in:
"      CBL
followed by:

ATTENTION: This IP is infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating in a botnet.
This is the Cutwail BOT
You need to patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.
If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

Furthermore at least two of the client machines have reported an unusually high volume of spam with a lot of the spam email subjects containing details of emails they have sent out (client names / order numbers etc) interspersed with the usual spam content. This concerned me greatly but I dont know what it is attributable to.

Ive scanned the server for Trojans using spyware doctor plus all the antivirus appears to be up to date  Ive also had a look on msconfig to see if any suspicious looking programs have appeared and there is no change there. Ive also checked those two clients for key loggers etc and made sure everyone elses antivirus is up to date.

My question is: how can I tell where the problem is (on the server or one of the clients) and how can I remove it. Also how are the spam email subjects incorporating specific details of emails sent from client computers?

Many thanks in advance guys...
0
Comment
Question by:bowen2007
  • 6
  • 6
13 Comments
 
LVL 19

Expert Comment

by:bevhost
ID: 21853190
Do you have a lot of emails queued in your outbound queue?
Go into Servers -> YOURSERVER -> Queues.
0
 
LVL 6

Accepted Solution

by:
ilantz earned 500 total points
ID: 21853233
well , for start make sure the whole lan/servers segment are not allowed to use port 25 to the world , exept for your SBS server. that will rule out any client spamming...
you could try to track down some network activity too.

as for making sure that your server is configured correctly to not allow unauthenticated relay , follow this acticle :
http://support.microsoft.com/?kbid=324958

all the best.
0
 

Author Comment

by:bowen2007
ID: 22064410
Hi guys - sincere apologies for leaving this open for so long - I've been reading up on the articles and having a play around but I'm not really making much headway. I've been stalling because I don't want to mess with the setup too much in case they lose their emails altogether. This is what I've ascertained so far:

* I've pretty much ruled out all the clients. All the antivirus was properly updated plus I've run virus / spyware tests on each of them independently and they does not seem to be anything of any note there. Also the the IP address got relisted over the weekend when all the workstations were switched off.

* I've checked the queues and there were about 20 queues coming from the default smtp server and they did all look rather spurious (bonkers4bingo.com, brainyquote.com, blazingwheels.com to name a few). I've frozen them for now - was that the right thing to do?

* I've followed the instructions in the microsoft document to test if the mail server is acting as an open relay. Unfortunately I only get as far as  "set local_echo" and "open (external ip address) 25". At this point I get the error message "could not open connection to host on port 25. Connection failed." I don't know where to go from here as this message does not appear in either the webcast or the article.

What should I try next guys? I am a little bit edgy as I did not originally set up this installation and whilst I  have setup exchange server a few times I am new to the inner workings and don't have that much experience troubleshooting it.

Any further feedback would be greatly appreciated.

Cheers.


0
 
LVL 6

Expert Comment

by:ilantz
ID: 22067973
microsoft suggest that you try to emulate a session to your server to see if relay is allowed from your server..
there are some tools on the net you can try run..
http://www.abuse.net/relay.html
http://www.spamhelp.org/shopenrelay/
http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

these are automatic , but using telnet will allow you to "figure" it out better :)
anyways you should make sure your connector is configured correctly to the internet,
and that your smtp virtual server is configured to allow relay "only to the list below"
and remove the allow all users that able to authtenticate to relay...

these are mostly the common ones.
make sure that in the your email receipents policy you check all the email domains you are recieving mail from.

and if all hope is lost... you should try to detect any rootkits on the server or so, if not :( format it ...
fastest way to go acctually.

good luck
0
 

Author Comment

by:bowen2007
ID: 22125591
Hi ilantz,

Many thanks for the further feedback. Been onsite with the server today and I've examined the configuration in accordance with your most recent post and the Msoft article you recommended before.

* The SMTP virtual server IS configured to allow relay only to the list below.
* Allow all computers which successfully authenticate to relay, regardless of the list above IS selected (consistent with the Msoft article recommendations) - are you saying that I should definitely uncheck this?

* Under the Smallbusiness  SMTP properties everything is in order apart from "allow messages to be relayed to these domains" is checked - contrary to the Msoft article. What would be the implications of unchecking this?

Once I've ironed out these configuration questions I'm going to run those utilites you've suggested.

What would you recommend to use to scan for Rootkits - I've already used spyware doctor (I've found that very effective on workstation but I'm not sure how suited it is to this particular scenario).

Many thanks again for your continued interest...
0
 
LVL 6

Expert Comment

by:ilantz
ID: 22127301
* Under the Smallbusiness  SMTP properties everything is in order apart from "allow messages to be relayed to these domains" is checked - contrary to the Msoft article. What would be the implications of unchecking this? <<< this is your issue.

* Allow all computers which successfully authenticate to relay, regardless of the list above IS selected (consistent with the Msoft article recommendations) - are you saying that I should definitely uncheck this? - this could be unchecked , i prefered it like that , so no one that is not explicitly allowed will be able to relay (even with auth).

rootkits ;) best utility is format c: /q
if you have doubts ... but that's to be super safe.

i'd go with ever util there is , but as you'd like :)

good luck !
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:bowen2007
ID: 22127509
:) thanks for the feedback again mate,

Right so first off I'm going to uncheck "allow messages to be relayed to these domains". Then freeze all the dodgy queues, then remove myself from the spamhaus registers.

Should it need a reboot?

Cheers...
0
 
LVL 6

Expert Comment

by:ilantz
ID: 22158377
no you didn't need a reboot..
any luck ?

queues looking normal ?
i'd advice you to setup some connection filter using the IMF of exchange.. (hope your running sp2 of exchange 2003) , check out this great Real-time block list & how to install info :

http://www.spamcop.net/fom-serve/cache/345.html (match the filter to apply only to 127.0.0.2)
also block all who are not in directory , etc...

spam control can only be as good as you'd like to "handle" it btw :)
just a prespective..

good luck !
0
 

Author Comment

by:bowen2007
ID: 22176536
Hi there ilantz - thanks again for staying on board!

I did give it a quick reboot just to be on the safe side. Unfortunately it is not running SP2. I didn't do the original installation and there are a few issues with it - I'm not completely confident in the trend micro antivirus and there is very little space left on the system partition. Problem is they absolutely rely on their emails so if I update and the whole thing falls over its going to come right back on me. Its a tricky situation to fair - deep down I know they need a rebuild but its a case of convincing them that all the disruption is necessary.

I think I may have had a breakthrough - It seemed like the change you suggested had sorted it to begin with - I removed the IP address from the XBL blacklist, froze all the dodgy looking queues and we did not hear anything from the ISP for a day. The next thing I knew I got a panicked call from my customer saying the internet connection had been chopped by their ISP.

In desperation I removed the trend virus from the clients (even though it was all up to date) and tried AVG (which I believed to be more comprehensive - checking for rootkits etc too). It found a trojan.spambot on one of the workstations - I immediately isolated it from the network and got the ISP to restore the internet connection. It has been fine ever since and we have not been relisted on any of the spam registers. I was so convinced that it was something to do with the way the mail server had been originally configured that I underestimated the risks posed by the clients themselves.

With all this in mind, what server / client antivirus solution would you recommend?

Cheers again...
0
 
LVL 6

Expert Comment

by:ilantz
ID: 22185589
np. i'd still go with installing sp2..
if you need to resize partitions just use GPARTED and be happy :)

as for antivirus, trendmicro or forefront (antigen for 2003) ..

good job!
0
 

Author Comment

by:bowen2007
ID: 22228533
Hi there,

I've left it a full week and there has been no recurrence since I isolated that one PC from the network. After all that it was a single client PC spamming (with a trojan.spambot).

Many thanks for all the great advice...
0
 

Author Closing Comment

by:bowen2007
ID: 31470056
Many thanks for your help ilantz,

You were right on the money with port 25 on the clients - I was convinced it was something wrong with the server because I hadn't originally set it up!

I'll know in future - you take care mate...
0
 
LVL 6

Expert Comment

by:ilantz
ID: 22229047
glad to assist !

I've open my own blog now:
http://ilantz.wordpress.com

tune in ;)
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now