Spyware VS Spambots

Hi All,

Our companies network seems to have been hit by a spambot, in other words, something is using our mail server as an SMTP relay and spoofing mail, which is clogging our mail server.

We are able to resolve the issue but it seems to reoccur.

We run Eset Nod32 Antivirus 4 and it has not been able to pickup the offending pc/server. (yes it has the latest definition). In the user manual, it says it detects and treats viruses and spyware....are spambots spyware or viruses or are they classified as its own threat? In other words, do I need a software that specialises in spybots?

I called Eset tech support and the guy was clueless, so I am hoping someone here can lend some assistance.

Regards
Network_PadawanAsked:
Who is Participating?
 
AmbientITConnect With a Mentor Commented:
Like SSharma said have you verified that you are an open relay using?
MXToolbox
http://mxtoolbox.com/diagnostic.aspx

Manually with some instructions on how to deal with it if you are:
http://www.amset.info/exchange/smtp-openrelay.asp

Here are instructions how to set your server up to relay, this might help you understand the process a little better and verify what settings ALLOW relaying.
http://www.petri.co.il/authenticated-or-anonymous-smtp-relay-with-exchange-2007.htm
0
 
daumanConnect With a Mentor Commented:
i hope you have a small network instead of a large one.
either your problem is coming from 1 or 2 computers inside your netowrk (probably) or it is someone from the outside using your smtp server as an relay.

step 1) on your (im assuming exchange) exchange server enable logging.
http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
keep in mind, logging can take up some space so make sure you have 10-20 gig available for that.

step 2) disable smtp relay
http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm


step 3) examine the logs to find out what IP/cpu is doing the spamming. (unless you already know)

once you identify the problem computer or computers.
i would run combofix and tdsskiller on them. until they read clean.
also i would run superantispyware on them just to be on the safe side.

0
 
Network_PadawanAuthor Commented:
hi dauman,

Do you the exchange 2007 version of this?

Also, do I really want to stop relaying? Dont I want the local lan and 127.0.0.1 to be able to relay mail?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Network_PadawanAuthor Commented:
Also, in the receive connector, which is (from what Ive read) where the relay happens....

This is the configuration....

Use these local IP to receive mail

All available IPV4 address 587

Receive mail from remote servers that have these IP addressess

0.0.0.0 - 255.255.255.255

Should I lock this down the local lan only and 127.0.0.1?
0
 
Network_PadawanAuthor Commented:
Also, ive enabled verbose logging for both send and receive connectors...will this show me from which IP SMTP mail is being routed from? I would like to see the source IP's of whose connecting to see which has the most connections (in this way during attacks I can see which IP is doing this)
0
 
AmbientITCommented:
Depending on your network and what firewall you have I like to disable outbound port 25 for all IP's except for the mailserver and any other servers/devices that are supposed to send mail outside the network. Your firewall logs may help as well.
0
 
Sudeep SharmaTechnical DesignerCommented:
Check if the IP of your exchange server is open relay

http://www.checkor.com/

Sudeep
0
 
Network_PadawanAuthor Commented:
Hi Ambient, but what if some spambot is using the mail server as a relay to send mail....surely that means the rule you just suggested on the firewall would be void.
0
 
AmbientITCommented:
Correct. It would only help if another server/computer was being used as the relay or spambot.
0
 
Network_PadawanAuthor Commented:
Well Im really stuck...Ive checked the firewall logs and I see outside IP's connecting into our mail server, obviously using it as a relay.

The smtp server is configured to only allow the LOCAL LAN and 127.0.0.1 to relay mail....so how are these people able to route mail?

Im confused....
0
 
Sudeep SharmaTechnical DesignerCommented:
So did you checked for the open relay.

Sudeep
0
 
Network_PadawanAuthor Commented:
Hi Ssharma,

Did you read my post above yours? We use mail daemon, not exchange. On mail daemon, we only allow local lan IP and 127.0.0.1 to relay. That's it.
0
 
Network_PadawanAuthor Commented:
These are the results


smtp:mail.nepeangroup.com     smtp    
220 nepeaneng.com.au ESMTP MDaemon 7.1.2; Tue, 15 Feb 2011 12:32:30 +1100


 OK - 165.228.143.254 resolves to nepean19.lnk.telstra.net
 Warning - Reverse DNS does not match SMTP Banner
 0 seconds - Good on Connection time
Not an open relay.
1.154 seconds - Good on Transaction time

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 nepeaneng.com.au Hello please-read-policy.mxtoolbox.com, pleased to meet you [187 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 <supertool@mxtoolbox.com>, Sender ok [187 ms]
RCPT TO: <test@example.com>
550 <test@example.com>, Recipient unknown [203 ms]


See it says NOT an open relay....
0
 
Network_PadawanAuthor Commented:
Any update guys?
0
 
AmbientITCommented:
We are able to resolve the issue but it seems to reoccur. Tell me what you do to stop it at least temporarily?

Are you using Exchange 2007 in conjunction with MDaemon?

I don't have a clear picture of what server software you are using and how you have come to the conclusion that your server is indeed being used to send out spam.
0
 
Network_PadawanAuthor Commented:
Hi Ambient,

Ok, mail comes into Mail Daemon, that email is there forwards to exchange 2007. People connect via imap to exchange for their mail.

This was a legacy setup. We are soon going to get rid of mail demon, but for now I need to fix this.

What I am seeing is the following:

Spoof email addresses clogging the mailq in mail demon, sending emails to external unknown email accounts. I see a remote IP connection of foreign Ips, I go into the router and see that EXACT IP making connections to our mail server on port 25.

When I block these IPs on the mail daemon software, the problem goes away for a few hours then we are attacked by different IP's. So I am contantly managing mail, and during the morning I find over 90,000 non-legitimate mail which I need to clean up, weed out legit from non-legit mail.

I thought it might be an internal spambot on some device, however seeing this external IP tells me differently. This is the 7th day of this crap and I just want it to end, I have tried everything I know, even cleaning every pc on the domain.

Any advise on something I am missing would be appreciated.

Regards



0
 
Network_PadawanAuthor Commented:
I was able to stop the spamming by blocking over 50 specific IP's. Still don't understand how anyone was able to relay off the mail server considering only Internal Ips were allow to use the server to send mail.

Either way I am allocating points, but if Ambient IT is able to comment one last time on my last post, I would be grateful.

Thanks
0
 
AmbientITCommented:
Sorry, my wife had a baby this week so things got a little hectic.

If you aren't an open relay the only other option that I can think of is that they have a username and password that allows them to send mail. I am not sure what tools you have or log files you could look through to determine this. Not sure if all your users can authenticate to use the Mail Daemon in some way, but if they are one of them might have a weak password that has been cracked, or possibly a system account?
0
 
Network_PadawanAuthor Commented:
Congratulations! Sorry I didn't know.

Thanks anyways, its working that the main thing.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.