Network_Padawan
asked on
Spyware VS Spambots
Hi All,
Our companies network seems to have been hit by a spambot, in other words, something is using our mail server as an SMTP relay and spoofing mail, which is clogging our mail server.
We are able to resolve the issue but it seems to reoccur.
We run Eset Nod32 Antivirus 4 and it has not been able to pickup the offending pc/server. (yes it has the latest definition). In the user manual, it says it detects and treats viruses and spyware....are spambots spyware or viruses or are they classified as its own threat? In other words, do I need a software that specialises in spybots?
I called Eset tech support and the guy was clueless, so I am hoping someone here can lend some assistance.
Regards
Our companies network seems to have been hit by a spambot, in other words, something is using our mail server as an SMTP relay and spoofing mail, which is clogging our mail server.
We are able to resolve the issue but it seems to reoccur.
We run Eset Nod32 Antivirus 4 and it has not been able to pickup the offending pc/server. (yes it has the latest definition). In the user manual, it says it detects and treats viruses and spyware....are spambots spyware or viruses or are they classified as its own threat? In other words, do I need a software that specialises in spybots?
I called Eset tech support and the guy was clueless, so I am hoping someone here can lend some assistance.
Regards
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also, in the receive connector, which is (from what Ive read) where the relay happens....
This is the configuration....
Use these local IP to receive mail
All available IPV4 address 587
Receive mail from remote servers that have these IP addressess
0.0.0.0 - 255.255.255.255
Should I lock this down the local lan only and 127.0.0.1?
This is the configuration....
Use these local IP to receive mail
All available IPV4 address 587
Receive mail from remote servers that have these IP addressess
0.0.0.0 - 255.255.255.255
Should I lock this down the local lan only and 127.0.0.1?
ASKER
Also, ive enabled verbose logging for both send and receive connectors...will this show me from which IP SMTP mail is being routed from? I would like to see the source IP's of whose connecting to see which has the most connections (in this way during attacks I can see which IP is doing this)
Depending on your network and what firewall you have I like to disable outbound port 25 for all IP's except for the mailserver and any other servers/devices that are supposed to send mail outside the network. Your firewall logs may help as well.
ASKER
Hi Ambient, but what if some spambot is using the mail server as a relay to send mail....surely that means the rule you just suggested on the firewall would be void.
Correct. It would only help if another server/computer was being used as the relay or spambot.
ASKER
Well Im really stuck...Ive checked the firewall logs and I see outside IP's connecting into our mail server, obviously using it as a relay.
The smtp server is configured to only allow the LOCAL LAN and 127.0.0.1 to relay mail....so how are these people able to route mail?
Im confused....
The smtp server is configured to only allow the LOCAL LAN and 127.0.0.1 to relay mail....so how are these people able to route mail?
Im confused....
So did you checked for the open relay.
Sudeep
Sudeep
ASKER
Hi Ssharma,
Did you read my post above yours? We use mail daemon, not exchange. On mail daemon, we only allow local lan IP and 127.0.0.1 to relay. That's it.
Did you read my post above yours? We use mail daemon, not exchange. On mail daemon, we only allow local lan IP and 127.0.0.1 to relay. That's it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
These are the results
smtp:mail.nepeangroup.com smtp
220 nepeaneng.com.au ESMTP MDaemon 7.1.2; Tue, 15 Feb 2011 12:32:30 +1100
OK - 165.228.143.254 resolves to nepean19.lnk.telstra.net
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
1.154 seconds - Good on Transaction time
Session Transcript:
HELO please-read-policy.mxtoolb
250 nepeaneng.com.au Hello please-read-policy.mxtoolb
MAIL FROM: <supertool@mxtoolbox.com>
250 <supertool@mxtoolbox.com>,
RCPT TO: <test@example.com>
550 <test@example.com>, Recipient unknown [203 ms]
See it says NOT an open relay....
smtp:mail.nepeangroup.com smtp
220 nepeaneng.com.au ESMTP MDaemon 7.1.2; Tue, 15 Feb 2011 12:32:30 +1100
OK - 165.228.143.254 resolves to nepean19.lnk.telstra.net
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
1.154 seconds - Good on Transaction time
Session Transcript:
HELO please-read-policy.mxtoolb
250 nepeaneng.com.au Hello please-read-policy.mxtoolb
MAIL FROM: <supertool@mxtoolbox.com>
250 <supertool@mxtoolbox.com>,
RCPT TO: <test@example.com>
550 <test@example.com>, Recipient unknown [203 ms]
See it says NOT an open relay....
ASKER
Any update guys?
We are able to resolve the issue but it seems to reoccur. Tell me what you do to stop it at least temporarily?
Are you using Exchange 2007 in conjunction with MDaemon?
I don't have a clear picture of what server software you are using and how you have come to the conclusion that your server is indeed being used to send out spam.
Are you using Exchange 2007 in conjunction with MDaemon?
I don't have a clear picture of what server software you are using and how you have come to the conclusion that your server is indeed being used to send out spam.
ASKER
Hi Ambient,
Ok, mail comes into Mail Daemon, that email is there forwards to exchange 2007. People connect via imap to exchange for their mail.
This was a legacy setup. We are soon going to get rid of mail demon, but for now I need to fix this.
What I am seeing is the following:
Spoof email addresses clogging the mailq in mail demon, sending emails to external unknown email accounts. I see a remote IP connection of foreign Ips, I go into the router and see that EXACT IP making connections to our mail server on port 25.
When I block these IPs on the mail daemon software, the problem goes away for a few hours then we are attacked by different IP's. So I am contantly managing mail, and during the morning I find over 90,000 non-legitimate mail which I need to clean up, weed out legit from non-legit mail.
I thought it might be an internal spambot on some device, however seeing this external IP tells me differently. This is the 7th day of this crap and I just want it to end, I have tried everything I know, even cleaning every pc on the domain.
Any advise on something I am missing would be appreciated.
Regards
Ok, mail comes into Mail Daemon, that email is there forwards to exchange 2007. People connect via imap to exchange for their mail.
This was a legacy setup. We are soon going to get rid of mail demon, but for now I need to fix this.
What I am seeing is the following:
Spoof email addresses clogging the mailq in mail demon, sending emails to external unknown email accounts. I see a remote IP connection of foreign Ips, I go into the router and see that EXACT IP making connections to our mail server on port 25.
When I block these IPs on the mail daemon software, the problem goes away for a few hours then we are attacked by different IP's. So I am contantly managing mail, and during the morning I find over 90,000 non-legitimate mail which I need to clean up, weed out legit from non-legit mail.
I thought it might be an internal spambot on some device, however seeing this external IP tells me differently. This is the 7th day of this crap and I just want it to end, I have tried everything I know, even cleaning every pc on the domain.
Any advise on something I am missing would be appreciated.
Regards
ASKER
I was able to stop the spamming by blocking over 50 specific IP's. Still don't understand how anyone was able to relay off the mail server considering only Internal Ips were allow to use the server to send mail.
Either way I am allocating points, but if Ambient IT is able to comment one last time on my last post, I would be grateful.
Thanks
Either way I am allocating points, but if Ambient IT is able to comment one last time on my last post, I would be grateful.
Thanks
Sorry, my wife had a baby this week so things got a little hectic.
If you aren't an open relay the only other option that I can think of is that they have a username and password that allows them to send mail. I am not sure what tools you have or log files you could look through to determine this. Not sure if all your users can authenticate to use the Mail Daemon in some way, but if they are one of them might have a weak password that has been cracked, or possibly a system account?
If you aren't an open relay the only other option that I can think of is that they have a username and password that allows them to send mail. I am not sure what tools you have or log files you could look through to determine this. Not sure if all your users can authenticate to use the Mail Daemon in some way, but if they are one of them might have a weak password that has been cracked, or possibly a system account?
ASKER
Congratulations! Sorry I didn't know.
Thanks anyways, its working that the main thing.
Thanks anyways, its working that the main thing.
ASKER
Do you the exchange 2007 version of this?
Also, do I really want to stop relaying? Dont I want the local lan and 127.0.0.1 to be able to relay mail?