Windows Server 2003 Sending Trojan or Proxy attempted to send mail

Morining Experts,

HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I've come into the office this morning only to recieve an email from MXToolBox highlighting that our server has been added to a mail server black list, when I Investigate this I find that the blacklist is Sorbes and the reason is -
"Spam Sending Trojan or Proxy attempted to send mail from/to from=<infoffb03@hosanna.net> to=<matt@paticipating.domain> helo=<[111.111.111.11]>"

Our relay is closed or Enabled(Authenticated only) so this shouldn't be happening

How I can I stop this?

Thanks
garethtnashAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Kruger_monkeyConnect With a Mentor Commented:
I would definately replace windows firewall with a commercial one.  Zonealarm etc.

Here's  a list of a few types

http://www.all-internet-security.com/top_10_firewall_software.html

It will largely be down to the windows firewall.  You have very limited control over windows firewall.  Get a commercial one and configure some rules that say only your host ip is allowed to use port 25, block anything else from using port 25.  Restrict the access to your box as far as possible.

Configure your firewall in roughly this manner.  Deny ALL traffic in and out.  The start adding rules that permit only the traffic that you need to permit and restrict them to ip addresses as far as possible.

Here are some best practices article.

http://www.symantec.com/connect/forums/sep-firewall-best-practice
http://www.google.co.uk/url?sa=t&source=web&ct=res&cd=3&ved=0CBYQFjAC&url=http%3A%2F%2Fwww.principlelogic.com%2Fdocs%2FFirewall_Best_Practices.pdf&rct=j&q=firewall+best+practices&ei=vge7S5iaF4nu0gTRoK37Bg&usg=AFQjCNH36b1P8uN3AO58t-LIDrQwEcT7wg
0
 
Kruger_monkeyCommented:
Does your firewall have a log you can monitor?  I'e had this in the past, spend ages verifying the server, relay settings etc and it turned out to be a spam bot on another computer.

If you can monitor your traffic as it goes out, check for anything going to port 25 and track back the ip.  Best practice is to restrict outbound port 25 access and allow it only for smtp based servers.

I would scan your server and network for potential malware/spyware/virus etc.
0
 
garethtnashAuthor Commented:
Thanks Krugar,
two questions .... -
how do i restrict outbound port 25 access and allow it only for smtp based servers?
Can you recommend any good (low cost) Server malware/spyware/virus scaning programs please?
 
Thank you
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Kruger_monkeyCommented:
Restricting access to port 25 will have to be done on your router/firewall.

You basically setup a port 25 access rule for a specific host(smtp server) followed by
a outbound port 25 block for everyone.  Can't say exactly how to do it as I don't know your setup hardware etc.

I use Trend Micro SMB, which although not cheap is also not expensive.  There are loads of server based utils out there, low cost is not necessary the best way to go as some functionality may be lacking.

http://uk.trendmicro.com/uk/products/sb/worry-free-business-security/index.html

NOD32 is another that is widely used
http://www.eset.co.uk/

http://www.kaspersky.co.uk/products
0
 
garethtnashAuthor Commented:
not sure whether this will help, but this is the header of the spam emails that are being sent - (I've changed our server IP address but not theirs) -
 
whereby their IP address appears to be 122.224.72.11
 and ours is listed as 111.111.111.11 etc, is there anyway of blocking that IP address from accessing our server?
Thanks

b******@hot*****.com
infoffb03@hosanna.net
0
Not Error Message
Received: From [122.224.72.11] by [111.111.111.11]
   (Matrix SMTP Mail Server v(1.4)) ID=E63E81E2-FE98-4AAD-A5CB-51B6B1B1552E ; Thu, 01 Apr 2010 13:27:41 +0100
Reply-To: <mgevisser1@axigenmail.com>
From: "Mr Mark Gevisser"<infoffb03@hosanna.net>
Subject: Rail Scrap For Sale
Date: Thu, 1 Apr 2010 04:27:35 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-RCPT-TO: <b*******@hot****.com>

Dear Sir/Madam,

Open in new window

0
 
Kruger_monkeyCommented:
Are you running exchange?  You can definately block that ip, but does the ip stay contant?

You can block that ip on your firewall, just block all inbound activity from that ip address.  Similarly if you are using exchange you can block that ip from accessing your server.
0
 
garethtnashAuthor Commented:
no not using exchange just the ISP's default mail server...
How do i block the IP using Windows firewall?
 
thank you
0
 
Kruger_monkeyCommented:
You know you said earlier with the mail headers, your ip 111.11.11.....  Is this a public external ip, i.e. your ISP's email server ip, or your locations public ip?

Can you give me a better idea of your setup.  

You can't really block an ip with windows firewall, you would need to look at ipsec or similar.

Has your router not got a firewall?  It's on the routers firewall that you will want to block it.  What security apps/devices are you running?
0
 
garethtnashAuthor Commented:
Hi Kruger,
111.111.11.... is the remote of our server (which is hosted remotely by an ISP) So sadly have no idea as to their configurations, but it is our rented dedicated server.
I'm connecting to it via remote desktop...
I've just installed the trial version of Kaspersky, which is doing a virus scan, however it looks to me as if 122.224.72.11 are somehow managing to bypass the fact that the relay is closed and periodically send large numbers of emails,... 45,000 at a time..
I can't sadly give you much more information than that, unless you can guide me as to what you are looking for?
Thanks for your help so far..
0
 
Kruger_monkeyCommented:
Ah in that case, based on your setup, I think you need to take this up with your ISP as the problem lies in their configuration somewhere, if you are using their email and services it is either their email or services that has a problem.

Also your isp should be able to monitor this problem in much more detail than you can.
0
 
garethtnashAuthor Commented:
Would be nice, but their take is very much that its a dedicated server which is self managed and therefore not their problem...
Quote
"Due to the self managed nature of your dedicated server, the security and management of the server is your responsibility and as such it is up to you to rectify the issue if your server has indeed been compromised.

You can either rebuild your server, automatically fixing any software vulnerabilities present, or we can block port 25 on your server, which would effectively block all e-mail traffic leaving your server"
Really helpful
0
 
Kruger_monkeyCommented:
Ah right. In that case what are you running on the box in terms of security related software?  Firewalls, AV AS etc?
0
 
garethtnashAuthor Commented:
Windows Firewall, and now Kasperskylabs - no viruses found, it looks as if the attacks may be (from the little knowledge I have) HTTP Tunneling??? could that be the case...
Slowly pulling my hair out...
 
:-(
0
 
garethtnashAuthor Commented:
Thanks Kruger
0
All Courses

From novice to tech pro — start learning today.