garethtnash
asked on
Windows Server 2003 Sending Trojan or Proxy attempted to send mail
Morining Experts,
HELP!!!!!!!!!!!!!!!!!!!!!! !!!!!!
I've come into the office this morning only to recieve an email from MXToolBox highlighting that our server has been added to a mail server black list, when I Investigate this I find that the blacklist is Sorbes and the reason is -
"Spam Sending Trojan or Proxy attempted to send mail from/to from=<infoffb03@hosanna.ne t> to=<matt@paticipating.doma in> helo=<[111.111.111.11]>"
Our relay is closed or Enabled(Authenticated only) so this shouldn't be happening
How I can I stop this?
Thanks
HELP!!!!!!!!!!!!!!!!!!!!!!
I've come into the office this morning only to recieve an email from MXToolBox highlighting that our server has been added to a mail server black list, when I Investigate this I find that the blacklist is Sorbes and the reason is -
"Spam Sending Trojan or Proxy attempted to send mail from/to from=<infoffb03@hosanna.ne
Our relay is closed or Enabled(Authenticated only) so this shouldn't be happening
How I can I stop this?
Thanks
ASKER
Thanks Krugar,
two questions .... -
how do i restrict outbound port 25 access and allow it only for smtp based servers?
Can you recommend any good (low cost) Server malware/spyware/virus scaning programs please?
Thank you
two questions .... -
how do i restrict outbound port 25 access and allow it only for smtp based servers?
Can you recommend any good (low cost) Server malware/spyware/virus scaning programs please?
Thank you
Restricting access to port 25 will have to be done on your router/firewall.
You basically setup a port 25 access rule for a specific host(smtp server) followed by
a outbound port 25 block for everyone. Can't say exactly how to do it as I don't know your setup hardware etc.
I use Trend Micro SMB, which although not cheap is also not expensive. There are loads of server based utils out there, low cost is not necessary the best way to go as some functionality may be lacking.
http://uk.trendmicro.com/uk/products/sb/worry-free-business-security/index.html
NOD32 is another that is widely used
http://www.eset.co.uk/
http://www.kaspersky.co.uk/products
You basically setup a port 25 access rule for a specific host(smtp server) followed by
a outbound port 25 block for everyone. Can't say exactly how to do it as I don't know your setup hardware etc.
I use Trend Micro SMB, which although not cheap is also not expensive. There are loads of server based utils out there, low cost is not necessary the best way to go as some functionality may be lacking.
http://uk.trendmicro.com/uk/products/sb/worry-free-business-security/index.html
NOD32 is another that is widely used
http://www.eset.co.uk/
http://www.kaspersky.co.uk/products
ASKER
not sure whether this will help, but this is the header of the spam emails that are being sent - (I've changed our server IP address but not theirs) -
whereby their IP address appears to be 122.224.72.11
and ours is listed as 111.111.111.11 etc, is there anyway of blocking that IP address from accessing our server?
Thanks
whereby their IP address appears to be 122.224.72.11
and ours is listed as 111.111.111.11 etc, is there anyway of blocking that IP address from accessing our server?
Thanks
b******@hot*****.com
infoffb03@hosanna.net
0
Not Error Message
Received: From [122.224.72.11] by [111.111.111.11]
(Matrix SMTP Mail Server v(1.4)) ID=E63E81E2-FE98-4AAD-A5CB-51B6B1B1552E ; Thu, 01 Apr 2010 13:27:41 +0100
Reply-To: <mgevisser1@axigenmail.com>
From: "Mr Mark Gevisser"<infoffb03@hosanna.net>
Subject: Rail Scrap For Sale
Date: Thu, 1 Apr 2010 04:27:35 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-RCPT-TO: <b*******@hot****.com>
Dear Sir/Madam,
Are you running exchange? You can definately block that ip, but does the ip stay contant?
You can block that ip on your firewall, just block all inbound activity from that ip address. Similarly if you are using exchange you can block that ip from accessing your server.
You can block that ip on your firewall, just block all inbound activity from that ip address. Similarly if you are using exchange you can block that ip from accessing your server.
ASKER
no not using exchange just the ISP's default mail server...
How do i block the IP using Windows firewall?
thank you
How do i block the IP using Windows firewall?
thank you
You know you said earlier with the mail headers, your ip 111.11.11..... Is this a public external ip, i.e. your ISP's email server ip, or your locations public ip?
Can you give me a better idea of your setup.
You can't really block an ip with windows firewall, you would need to look at ipsec or similar.
Has your router not got a firewall? It's on the routers firewall that you will want to block it. What security apps/devices are you running?
Can you give me a better idea of your setup.
You can't really block an ip with windows firewall, you would need to look at ipsec or similar.
Has your router not got a firewall? It's on the routers firewall that you will want to block it. What security apps/devices are you running?
ASKER
Hi Kruger,
111.111.11.... is the remote of our server (which is hosted remotely by an ISP) So sadly have no idea as to their configurations, but it is our rented dedicated server.
I'm connecting to it via remote desktop...
I've just installed the trial version of Kaspersky, which is doing a virus scan, however it looks to me as if 122.224.72.11 are somehow managing to bypass the fact that the relay is closed and periodically send large numbers of emails,... 45,000 at a time..
I can't sadly give you much more information than that, unless you can guide me as to what you are looking for?
Thanks for your help so far..
111.111.11.... is the remote of our server (which is hosted remotely by an ISP) So sadly have no idea as to their configurations, but it is our rented dedicated server.
I'm connecting to it via remote desktop...
I've just installed the trial version of Kaspersky, which is doing a virus scan, however it looks to me as if 122.224.72.11 are somehow managing to bypass the fact that the relay is closed and periodically send large numbers of emails,... 45,000 at a time..
I can't sadly give you much more information than that, unless you can guide me as to what you are looking for?
Thanks for your help so far..
Ah in that case, based on your setup, I think you need to take this up with your ISP as the problem lies in their configuration somewhere, if you are using their email and services it is either their email or services that has a problem.
Also your isp should be able to monitor this problem in much more detail than you can.
Also your isp should be able to monitor this problem in much more detail than you can.
ASKER
Would be nice, but their take is very much that its a dedicated server which is self managed and therefore not their problem...
Quote
"Due to the self managed nature of your dedicated server, the security and management of the server is your responsibility and as such it is up to you to rectify the issue if your server has indeed been compromised.
You can either rebuild your server, automatically fixing any software vulnerabilities present, or we can block port 25 on your server, which would effectively block all e-mail traffic leaving your server"
Really helpful
Quote
"Due to the self managed nature of your dedicated server, the security and management of the server is your responsibility and as such it is up to you to rectify the issue if your server has indeed been compromised.
You can either rebuild your server, automatically fixing any software vulnerabilities present, or we can block port 25 on your server, which would effectively block all e-mail traffic leaving your server"
Really helpful
Ah right. In that case what are you running on the box in terms of security related software? Firewalls, AV AS etc?
ASKER
Windows Firewall, and now Kasperskylabs - no viruses found, it looks as if the attacks may be (from the little knowledge I have) HTTP Tunneling??? could that be the case...
Slowly pulling my hair out...
:-(
Slowly pulling my hair out...
:-(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Kruger
If you can monitor your traffic as it goes out, check for anything going to port 25 and track back the ip. Best practice is to restrict outbound port 25 access and allow it only for smtp based servers.
I would scan your server and network for potential malware/spyware/virus etc.