asked on

Windows Server 2003 Sending Trojan or Proxy attempted to send mail

Morining Experts,

HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I've come into the office this morning only to recieve an email from MXToolBox highlighting that our server has been added to a mail server black list, when I Investigate this I find that the blacklist is Sorbes and the reason is -
"Spam Sending Trojan or Proxy attempted to send mail from/to from=<infoffb03@hosanna.net> to=<matt@paticipating.domain> helo=<[111.111.111.11]>"

Our relay is closed or Enabled(Authenticated only) so this shouldn't be happening

How I can I stop this?

Thanks

Kruger_monkey

Does your firewall have a log you can monitor? I'e had this in the past, spend ages verifying the server, relay settings etc and it turned out to be a spam bot on another computer.

If you can monitor your traffic as it goes out, check for anything going to port 25 and track back the ip. Best practice is to restrict outbound port 25 access and allow it only for smtp based servers.

I would scan your server and network for potential malware/spyware/virus etc.

garethtnash

ASKER

Thanks Krugar,
two questions .... -
how do i restrict outbound port 25 access and allow it only for smtp based servers?
Can you recommend any good (low cost) Server malware/spyware/virus scaning programs please?

Thank you

Kruger_monkey

Restricting access to port 25 will have to be done on your router/firewall.

You basically setup a port 25 access rule for a specific host(smtp server) followed by
a outbound port 25 block for everyone. Can't say exactly how to do it as I don't know your setup hardware etc.

I use Trend Micro SMB, which although not cheap is also not expensive. There are loads of server based utils out there, low cost is not necessary the best way to go as some functionality may be lacking.

http://uk.trendmicro.com/uk/products/sb/worry-free-business-security/index.html

NOD32 is another that is widely used
http://www.eset.co.uk/

http://www.kaspersky.co.uk/products

garethtnash

ASKER

not sure whether this will help, but this is the header of the spam emails that are being sent - (I've changed our server IP address but not theirs) -

whereby their IP address appears to be 122.224.72.11
and ours is listed as 111.111.111.11 etc, is there anyway of blocking that IP address from accessing our server?
Thanks

b******@hot*****.com
infoffb03@hosanna.net
0
Not Error Message
Received: From [122.224.72.11] by [111.111.111.11]
   (Matrix SMTP Mail Server v(1.4)) ID=E63E81E2-FE98-4AAD-A5CB-51B6B1B1552E ; Thu, 01 Apr 2010 13:27:41 +0100
Reply-To: <mgevisser1@axigenmail.com>
From: "Mr Mark Gevisser"<infoffb03@hosanna.net>
Subject: Rail Scrap For Sale
Date: Thu, 1 Apr 2010 04:27:35 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-RCPT-TO: <b*******@hot****.com>

Dear Sir/Madam,

Open in new window

Kruger_monkey

Are you running exchange? You can definately block that ip, but does the ip stay contant?

You can block that ip on your firewall, just block all inbound activity from that ip address. Similarly if you are using exchange you can block that ip from accessing your server.

garethtnash

ASKER

no not using exchange just the ISP's default mail server...
How do i block the IP using Windows firewall?

thank you

Kruger_monkey

You know you said earlier with the mail headers, your ip 111.11.11..... Is this a public external ip, i.e. your ISP's email server ip, or your locations public ip?

Can you give me a better idea of your setup.

You can't really block an ip with windows firewall, you would need to look at ipsec or similar.

Has your router not got a firewall? It's on the routers firewall that you will want to block it. What security apps/devices are you running?

garethtnash

ASKER

Hi Kruger,
111.111.11.... is the remote of our server (which is hosted remotely by an ISP) So sadly have no idea as to their configurations, but it is our rented dedicated server.
I'm connecting to it via remote desktop...
I've just installed the trial version of Kaspersky, which is doing a virus scan, however it looks to me as if 122.224.72.11 are somehow managing to bypass the fact that the relay is closed and periodically send large numbers of emails,... 45,000 at a time..
I can't sadly give you much more information than that, unless you can guide me as to what you are looking for?
Thanks for your help so far..

Kruger_monkey

Ah in that case, based on your setup, I think you need to take this up with your ISP as the problem lies in their configuration somewhere, if you are using their email and services it is either their email or services that has a problem.

Also your isp should be able to monitor this problem in much more detail than you can.

garethtnash

ASKER

Would be nice, but their take is very much that its a dedicated server which is self managed and therefore not their problem...
Quote
"Due to the self managed nature of your dedicated server, the security and management of the server is your responsibility and as such it is up to you to rectify the issue if your server has indeed been compromised.

You can either rebuild your server, automatically fixing any software vulnerabilities present, or we can block port 25 on your server, which would effectively block all e-mail traffic leaving your server"
Really helpful

Kruger_monkey

Ah right. In that case what are you running on the box in terms of security related software? Firewalls, AV AS etc?

garethtnash

ASKER

Windows Firewall, and now Kasperskylabs - no viruses found, it looks as if the attacks may be (from the little knowledge I have) HTTP Tunneling??? could that be the case...
Slowly pulling my hair out...

:-(

ASKER CERTIFIED SOLUTION

Kruger_monkey

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

garethtnash

ASKER

Thanks Kruger