Solved

SBS 2008 sending tremendous SMTP

Posted on 2011-02-15
20
1,003 Views
Last Modified: 2012-05-11
In our office we have about 12 computers and a SBS 2008 box that is our mail, DNS, DHCP etc…In the past few days we noticed our internet slowed dramatically so I installed wireshark on the SBS 2008 box. I’m seeing a TREMENDOUS amount of SMTP traffic going out to just a few IPs (this traffic is going nonstop). I have a feeling we must have picked up a virus or botnet or something. Is there something obvious that I can do to kill this SMTP traffic while keeping my server up? Is there an obvious place I can look to get rid of whatever we may have picked up?
0
Comment
Question by:flyinace2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 2
  • +1
20 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34901378
If you have picked up a nasty - check you are not blacklisted on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org

If listed - find out why you are listed and then based on that info - the next step can be determined.
0
 

Author Comment

by:flyinace2
ID: 34901419
My server is blocked only on APEWS.ORG Databasetest. The reason is:CASE: C-813
Spambots, zombies, contaminated CIDR, bad reputation provider. Entry created 2011-01-29

What does that tell you?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34901468
Entry created 2011-01-29!  2 weeks old - which could mean you had a problem and it has been dealt with or you had a problem begin on the 29th and it is still a problem, but if it were still a problem, you would be listed on more than just APEWS.

Anything showing up on mxtoolbox?
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:flyinace2
ID: 34901491
nope. A few timed out....but otherwise, all clear
0
 
LVL 13

Expert Comment

by:connectex
ID: 34901505
Have you confirmed it's the server not an open relay yet? You can use: http://mxtoolbox.com/diagnostic.aspx. Have you created any Exchange send connectors? What connectors do you have? They are in your Exchange Management Console->Server Configuration->Hub Transport and on the Receive connectors tab.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 450 total points
ID: 34901546
If you are not on any other lists - you should not be sending out spam.

Check your queues on the server using Exchange Management Console> Toolbox> Queue Viewer> Open Tool.

Do you have a busy queue?
0
 

Author Comment

by:flyinace2
ID: 34901555
Results of open relay test:
HELO please-read-policy.mxtoolbox.com
250 remote.XXXXXX.com Hello [64.20.227.133] [78 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Sender OK [250 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay [5382 ms]
QUIT
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34901588
If you were an open relay - you would be blacklisted all over the place.
0
 
LVL 13

Expert Comment

by:connectex
ID: 34901599
Just wanted to rule open relay out. It's a basic test anyways.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34901614
Sure - I understand - but the evidence is already there to rule that one out.
0
 
LVL 7

Assisted Solution

by:jrwarren
jrwarren earned 50 total points
ID: 34901683
hello.

Start --->  All Programs ---> Microsoft Exchange ---> Server Management Console
     Select Toolbox
In the right hand pand select Queue Viewer
   Let us know what you have in there and the dates of the messages.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34901716
@jrwarren - See comment http:#a34901546 posted 15 minutes ago!  Please read the entire thread before posting.

Thanks

Alan
0
 

Author Comment

by:flyinace2
ID: 34901835
I have 1 send connector which is used to send mail from our server to the rest of the world.
The queue does not contain any messages in queue....
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34902048
Okay - if the server is not sending the mail, then what is?

Do you have your firewall locked down so that only the SBS 2008 server can send out SMTP traffic (TCP Port 25) and all other internal IP addresses are blocked?
0
 

Author Comment

by:flyinace2
ID: 34902055
I am now using my firewall to block all outbound traffic to 66.94.237.64 which seems to have help a lot (perhaps solved the problem). Can anyone see a downside to this?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34902084
IP Information - 66.94.237.64

IP address:                     66.94.237.64
Reverse DNS:                    mta-v3.mail.vip.mud.yahoo.com.
Reverse DNS authenticity:       [Verified]
ASN:                            14780
ASN Name:                       INKTOMI-LAWSON
IP range connectivity:          2
Registrar (per ASN):            ARIN
Country (per IP registrar):     US [United States]
Country Currency:               USD [United States Dollars]
Country IP Range:               66.88.0.0 to 66.95.255.255
Country fraud profile:          Normal
City (per outside source):      Sunnyvale, California
Country (per outside source):   US [United States]
Private (internal) IP?          No
IP address registrar:           whois.arin.net
Known Proxy?                    No
Link for WHOIS:                 66.94.237.64

Might be a problem - it is a yahoo / inktomi IP address.

Better to block ALL internal IP's for port 25 outbound except the SBS 2008 server.
0
 

Author Comment

by:flyinace2
ID: 34902105
Ok, but wireshark showed that the traffic was originating from my server and going to 66.94.237.64. Doesn't that mean that the traffice was coming from the server and not other computers?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34902263
Okay - so if the server is sending SMTP traffic to Yahoo and you are not blacklisted - it suggests that the traffic might be genuine.

Have any of your users been sending large messages to friends on yahoo with big attachments in them (read pictures)?
0
 

Author Comment

by:flyinace2
ID: 34902362
OK, The problem is solved!!!!!
There actually was a message in the queue, it just took a minute to load (that is why I said there were none)...And guess what domain the message was addressed to? Yahoo! I pulled that message out of the queue and now everything seems to be fine again...THANKS EVERYONE!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34902402
: ) - Go find your user who sent it and beat them around the head with a large chair-leg.  Or alternatively, remind them not to send massive emails out and possibly cap the server.

Glad it is resolved.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question