Windows Server 2003 Sending Trojan or Proxy attempted to send mail

Morining Experts,


I've come into the office this morning only to recieve an email from MXToolBox highlighting that our server has been added to a mail server black list, when I Investigate this I find that the blacklist is Sorbes and the reason is -
"Spam Sending Trojan or Proxy attempted to send mail from/to from=<> to=<matt@paticipating.domain> helo=<[]>"

Our relay is closed or Enabled(Authenticated only) so this shouldn't be happening

How I can I stop this?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does your firewall have a log you can monitor?  I'e had this in the past, spend ages verifying the server, relay settings etc and it turned out to be a spam bot on another computer.

If you can monitor your traffic as it goes out, check for anything going to port 25 and track back the ip.  Best practice is to restrict outbound port 25 access and allow it only for smtp based servers.

I would scan your server and network for potential malware/spyware/virus etc.
garethtnashAuthor Commented:
Thanks Krugar,
two questions .... -
how do i restrict outbound port 25 access and allow it only for smtp based servers?
Can you recommend any good (low cost) Server malware/spyware/virus scaning programs please?
Thank you
Restricting access to port 25 will have to be done on your router/firewall.

You basically setup a port 25 access rule for a specific host(smtp server) followed by
a outbound port 25 block for everyone.  Can't say exactly how to do it as I don't know your setup hardware etc.

I use Trend Micro SMB, which although not cheap is also not expensive.  There are loads of server based utils out there, low cost is not necessary the best way to go as some functionality may be lacking.

NOD32 is another that is widely used
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

garethtnashAuthor Commented:
not sure whether this will help, but this is the header of the spam emails that are being sent - (I've changed our server IP address but not theirs) -
whereby their IP address appears to be
 and ours is listed as etc, is there anyway of blocking that IP address from accessing our server?

Not Error Message
Received: From [] by []
   (Matrix SMTP Mail Server v(1.4)) ID=E63E81E2-FE98-4AAD-A5CB-51B6B1B1552E ; Thu, 01 Apr 2010 13:27:41 +0100
Reply-To: <>
From: "Mr Mark Gevisser"<>
Subject: Rail Scrap For Sale
Date: Thu, 1 Apr 2010 04:27:35 -0800
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-RCPT-TO: <b*******@hot****.com>

Dear Sir/Madam,

Open in new window

Are you running exchange?  You can definately block that ip, but does the ip stay contant?

You can block that ip on your firewall, just block all inbound activity from that ip address.  Similarly if you are using exchange you can block that ip from accessing your server.
garethtnashAuthor Commented:
no not using exchange just the ISP's default mail server...
How do i block the IP using Windows firewall?
thank you
You know you said earlier with the mail headers, your ip 111.11.11.....  Is this a public external ip, i.e. your ISP's email server ip, or your locations public ip?

Can you give me a better idea of your setup.  

You can't really block an ip with windows firewall, you would need to look at ipsec or similar.

Has your router not got a firewall?  It's on the routers firewall that you will want to block it.  What security apps/devices are you running?
garethtnashAuthor Commented:
Hi Kruger,
111.111.11.... is the remote of our server (which is hosted remotely by an ISP) So sadly have no idea as to their configurations, but it is our rented dedicated server.
I'm connecting to it via remote desktop...
I've just installed the trial version of Kaspersky, which is doing a virus scan, however it looks to me as if are somehow managing to bypass the fact that the relay is closed and periodically send large numbers of emails,... 45,000 at a time..
I can't sadly give you much more information than that, unless you can guide me as to what you are looking for?
Thanks for your help so far..
Ah in that case, based on your setup, I think you need to take this up with your ISP as the problem lies in their configuration somewhere, if you are using their email and services it is either their email or services that has a problem.

Also your isp should be able to monitor this problem in much more detail than you can.
garethtnashAuthor Commented:
Would be nice, but their take is very much that its a dedicated server which is self managed and therefore not their problem...
"Due to the self managed nature of your dedicated server, the security and management of the server is your responsibility and as such it is up to you to rectify the issue if your server has indeed been compromised.

You can either rebuild your server, automatically fixing any software vulnerabilities present, or we can block port 25 on your server, which would effectively block all e-mail traffic leaving your server"
Really helpful
Ah right. In that case what are you running on the box in terms of security related software?  Firewalls, AV AS etc?
garethtnashAuthor Commented:
Windows Firewall, and now Kasperskylabs - no viruses found, it looks as if the attacks may be (from the little knowledge I have) HTTP Tunneling??? could that be the case...
Slowly pulling my hair out...
I would definately replace windows firewall with a commercial one.  Zonealarm etc.

Here's  a list of a few types

It will largely be down to the windows firewall.  You have very limited control over windows firewall.  Get a commercial one and configure some rules that say only your host ip is allowed to use port 25, block anything else from using port 25.  Restrict the access to your box as far as possible.

Configure your firewall in roughly this manner.  Deny ALL traffic in and out.  The start adding rules that permit only the traffic that you need to permit and restrict them to ip addresses as far as possible.

Here are some best practices article.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
garethtnashAuthor Commented:
Thanks Kruger
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.