Link to home
Start Free TrialLog in
Avatar of Network_Padawan

asked on

Spyware VS Spambots

Hi All,

Our companies network seems to have been hit by a spambot, in other words, something is using our mail server as an SMTP relay and spoofing mail, which is clogging our mail server.

We are able to resolve the issue but it seems to reoccur.

We run Eset Nod32 Antivirus 4 and it has not been able to pickup the offending pc/server. (yes it has the latest definition). In the user manual, it says it detects and treats viruses and spyware....are spambots spyware or viruses or are they classified as its own threat? In other words, do I need a software that specialises in spybots?

I called Eset tech support and the guy was clueless, so I am hoping someone here can lend some assistance.

Avatar of dauman
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Network_Padawan


hi dauman,

Do you the exchange 2007 version of this?

Also, do I really want to stop relaying? Dont I want the local lan and to be able to relay mail?
Also, in the receive connector, which is (from what Ive read) where the relay happens....

This is the configuration....

Use these local IP to receive mail

All available IPV4 address 587

Receive mail from remote servers that have these IP addressess -

Should I lock this down the local lan only and
Also, ive enabled verbose logging for both send and receive connectors...will this show me from which IP SMTP mail is being routed from? I would like to see the source IP's of whose connecting to see which has the most connections (in this way during attacks I can see which IP is doing this)
Depending on your network and what firewall you have I like to disable outbound port 25 for all IP's except for the mailserver and any other servers/devices that are supposed to send mail outside the network. Your firewall logs may help as well.
Avatar of Sudeep Sharma
Check if the IP of your exchange server is open relay

Hi Ambient, but what if some spambot is using the mail server as a relay to send mail....surely that means the rule you just suggested on the firewall would be void.
Correct. It would only help if another server/computer was being used as the relay or spambot.
Well Im really stuck...Ive checked the firewall logs and I see outside IP's connecting into our mail server, obviously using it as a relay.

The smtp server is configured to only allow the LOCAL LAN and to relay how are these people able to route mail?

Im confused....
So did you checked for the open relay.

Hi Ssharma,

Did you read my post above yours? We use mail daemon, not exchange. On mail daemon, we only allow local lan IP and to relay. That's it.
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
These are the results     smtp    
220 ESMTP MDaemon 7.1.2; Tue, 15 Feb 2011 12:32:30 +1100

 OK - resolves to
 Warning - Reverse DNS does not match SMTP Banner
 0 seconds - Good on Connection time
Not an open relay.
1.154 seconds - Good on Transaction time

Session Transcript:
250 Hello, pleased to meet you [187 ms]
250 <>, Sender ok [187 ms]
550 <>, Recipient unknown [203 ms]

See it says NOT an open relay....
Any update guys?
We are able to resolve the issue but it seems to reoccur. Tell me what you do to stop it at least temporarily?

Are you using Exchange 2007 in conjunction with MDaemon?

I don't have a clear picture of what server software you are using and how you have come to the conclusion that your server is indeed being used to send out spam.
Hi Ambient,

Ok, mail comes into Mail Daemon, that email is there forwards to exchange 2007. People connect via imap to exchange for their mail.

This was a legacy setup. We are soon going to get rid of mail demon, but for now I need to fix this.

What I am seeing is the following:

Spoof email addresses clogging the mailq in mail demon, sending emails to external unknown email accounts. I see a remote IP connection of foreign Ips, I go into the router and see that EXACT IP making connections to our mail server on port 25.

When I block these IPs on the mail daemon software, the problem goes away for a few hours then we are attacked by different IP's. So I am contantly managing mail, and during the morning I find over 90,000 non-legitimate mail which I need to clean up, weed out legit from non-legit mail.

I thought it might be an internal spambot on some device, however seeing this external IP tells me differently. This is the 7th day of this crap and I just want it to end, I have tried everything I know, even cleaning every pc on the domain.

Any advise on something I am missing would be appreciated.


I was able to stop the spamming by blocking over 50 specific IP's. Still don't understand how anyone was able to relay off the mail server considering only Internal Ips were allow to use the server to send mail.

Either way I am allocating points, but if Ambient IT is able to comment one last time on my last post, I would be grateful.

Sorry, my wife had a baby this week so things got a little hectic.

If you aren't an open relay the only other option that I can think of is that they have a username and password that allows them to send mail. I am not sure what tools you have or log files you could look through to determine this. Not sure if all your users can authenticate to use the Mail Daemon in some way, but if they are one of them might have a weak password that has been cracked, or possibly a system account?
Congratulations! Sorry I didn't know.

Thanks anyways, its working that the main thing.