• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 812
  • Last Modified:

Abnormal traffic on port 25

Hi All.

We are running the following:

Microsoft Small Business Server Premium 2003
Sonicalwall TZ170 Router
Workstations are all Windows XP SP3

Over the past few weeks we've noticed our internet connection has been pokey from time-to-time. I checked out the hardware, but everything appears to be good. Spoke with my ISP and tested stuff with them and no issues there.

So, I enabled traffic logging on the router and noticed a lot of bandwidth going out over port 25. In a few days, 2GB and we don't e-mail that much. We have 4 active workstations that maybe send 3 to 10 e-mails a day, but nothing to add up to 2GB. So I reset the log and in a matter of minutes over 30MB was transferred over port 25. The log shows it originating from the server's IP address.

I checked the message tracking centre in Exchange and I only see e-mails we've sent, no e-mails are showing up in there that are not recognized. There is nothing in our queues either. So perhaps, it may not be the server itself? I am running Microsoft's Malicious Software Removal Tool on our server right now.

We use DHCP and all our workstations point to the server's IP for DNS, DHCP and WINS. The default gateway is the router's IP.

I've previously run scans on the workstations and so far they've come up clean. I'm running them again now.

I could really use some assistance here to track down what is happening. I certainly don't want our system firing out spam or otherwise. I'm not an expert, I know my way around but don't worry about insulting me by explaining in detail any steps I should take to help find the source of the problem.

Thank you all.
0
emgee11
Asked:
emgee11
  • 14
  • 6
  • 4
  • +3
4 Solutions
 
Ernie BeekExpertCommented:
You first might want to check if your server isn't relaying: http://www.mxtoolbox.com/diagnostic.aspx
0
 
emgee11Author Commented:
@erniebeek:

Thanks for the suggestion. I've tried that too and just tried it again, but only get the following message:

Timeout occurred due to inactivity.
2/24/2011 10:12:38 AM Connection attempt #1 - Timeout occurred due to inactivity. [16.21 sec]

I entered the external IP address assigned to the router. Not entirely clear if that means we're good to go or not. I assume it does since it couldn't connect?
0
 
emgee11Author Commented:
I also ran the port scan at mxtoolbox.com and it showed the following ports as being closed:

21, 22, 23, 25, 53, 80, 110, 143, 139, 389, 443, 587, 1352, 1433, 3306, 3389, 8080
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Ernie BeekExpertCommented:
Well, it depends on how are thing set up. Mail for your domain should be delivered at your mailserver. So on the internet when I want to send a mail to you@yourdomain.com, my mailserver looks up the MX record for yourdomain.com. DNS should the return something like mail.yourdomain.com which points to the ip address of your server. That doesn't necessarily have to be the public ip address of your router.

To make sure do an mslookup at http://www.mxtoolbox.com/ and just put in your domain there (that's everything behind the '@').
0
 
AmickCommented:
You're having trouble because the qwinsta command is a server command, and not part of the Windows 7 distribution.  It did get shipped as part of a patch, so you may find it in  C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529, but it is not a completely operable version.
0
 
emgee11Author Commented:
@erniebeek:

Ok, we have a 'weird' setup. We use Exchange to send e-mails out, but use a POP3 connector (iGetMail) to pull down our e-mail from our ISP's mail server. So when people reply to us our ISP's servers receive the e-mail and or connector polls every 5 minutes to pull them down to Exchange (and leaves it on the ISP as well).

It works very well for us, we have backup access to e-mail should anything happen to our Exchange/SBS box and have easy remote access. We have internal e-mail and common e-mail folders for shared e-mail accounts such as "info", "support", etc.

If I put in our domain it will resolve to our ISP's mail servers. Our external IP address is setup for reverse DNS so that mails sent from our Exchange box don't have issues being received. I have setup SPF records to for our IP address too. I hope that makes some sense.

0
 
emgee11Author Commented:
@amitkulshrestha

I will install it and check it out. Any information from it I can post to help?
0
 
AmitIT ArchitectCommented:
You need to follow this http://support.microsoft.com/kb/148942
0
 
AmickCommented:
*** I misposted the response regarding qwinsta to this question. My apologies to all. ***

Moderator: please remove my comments on this question.
0
 
arnoldCommented:
Here is what you can try.
Presumably your internal systems are configured to send emails through your local exchange server.

You can configure your outgoing rules on the sonicwall to limit which systems can send out emails.
i.e. limit ougoing port 25 connections to the exchange server.
Log the denies for outgoing port 25 and see whether that counter increments.  The other possibility is that you are getting spammed.  When you pop the messages and the server sees email messages for recipients that do not exist, it generates a non-delivery response message to the sender of the message.
Enable exchange logging and see what is going on if the port 25 restriction did not reveal a culprit i.e. a system that may have been compromised by a virus/bot, etc. that is being used to send out spam.
0
 
emgee11Author Commented:
@arnold:

Ok, I created two rules. One that says our server's internal LAN IP can send to any IP on the WAN on SMTP (25). And a second rule that denies LAN IPs from x.x.x.3 thru x.x.x.255 from transmitting on port 25 to the WAN.

I have "Subject Logging and Display" enabled, as well as "Message Tracking" enabled. Is that what needs to be enabled?
0
 
AmitIT ArchitectCommented:
Subject logging will help to trace down from where the emails are coming.
0
 
dexITCommented:
0
 
emgee11Author Commented:
@dexIT:

Yep I just did. Our local SBS box did have an open relay. I just closed that up in case some we do have some internal malware that was exploiting that.

I do not see anything in the logs indicating that an authenticated user is relaying.

I followed the instructions here:
http://www.amset.info/exchange/spam-cleanup.asp

I assume the open relay would only be an issue for us if it is malware internal on our LAN because port 25 is closed on our router.
0
 
emgee11Author Commented:
We've had message logging on our Exchange server. If I go to the Message Tracking Centre I do not see any messages in their that look suspect. Everything I can account for.

However, my Sonicwall TZ170 shows that we've sent 400MB of data via port 25 originating from our SBS box in the last 3 hours. There is no way we've sent that much in e-mail.
0
 
emgee11Author Commented:
@amitkulshrestha:

I'm running the Microsoft Network Monitor. To be honest I'm not entirely certain what I should looking for. However, I do not see any conversations??? on port 25.

I have it installed on my workstation and am looking at its conversations as well as under "Other Traffic".
0
 
dexITCommented:
Do you have any network devices, such as a printer which could email PDFs, etc?
0
 
emgee11Author Commented:
@dexIT:

Yes we do, but those have all been disabled at the device level and WAN access for those IPs blocked on the router as well.
0
 
emgee11Author Commented:
An update: The Microsoft Malicious Software Tool completed without finding any infected files.
0
 
AmitIT ArchitectCommented:
Hi emgee11,

In Exchange 2003 mail flow happens like this. An size conversion also happens. It is normal that a 10 MB attachment can become 12MB during conversion. Thanks for MIME part. I really do see 400MB is very huge trafic

1 MAPI client sends a message to a remote recipient
2 Information Store (Store.exe) receives the message
3 The created MailMsg object is forwarded to the Advanced Queue Engine (AQE)
4 The Message Categorizer from the AQE processes the MailMsg object and splits it into MIME or RTF as necessary
5 The Message Categorizer expands groups and checks defined Message limits on Exchange
6 The MailMsg object is then transferred to the Remote Destination Domain within the AQE
7 The AQE passes the destination address to the Exchange Routing Engine
SMTP initiates an SMTP session with the remote SMTP host
8 After the SMTP session with the remote host has been established, the information store retrieves the body of the message and converts the message as necessary
9 SMTP sends the Message from the Queue to the Remote Host
0
 
emgee11Author Commented:
Update: one thing I'm seeing on my router is my server is sending out on port 43137 to port 25 at another IP address. It sends about 6mb or so, then the listing disappears and another connection starts up. So far, all the destination IP addresses resolve to yahoo.com (doing lookups I see mta-v2.mail.vip.mud.yahoo.com, mta-v1.mail.vip.ac4.yahoo.com, etc.).

Perhaps I have a hung-up outbound message that keeps trying to deliver itself???
0
 
AmitIT ArchitectCommented:
If possible, stop and start the SMTP from ESM.
0
 
AmitIT ArchitectCommented:
Or keep it STOP and if you still saw the traffic
0
 
emgee11Author Commented:
In the queue there is an SMTP connector for Yahoo.ca; I've frozen it for now.

I no longer see the connections opening on the router to the yahoo IPs. It was continuous while I was refreshing. It send about 6MB then a new connection would open and start sending another 6MB. This is an e-mail we did send with around 6MB in attachments.

How can I go about stopping this e-mail from retrying?

Thanks all so far, been learning a lot again!
0
 
Ernie BeekExpertCommented:
Just checking in, but it looks like you're getting there :)

For your last question, perhaps this might help: http://support.microsoft.com/kb/822944

Good luck.
0
 
emgee11Author Commented:
@all:

Looks like the problem has been resolved!

It was an e-mail that wasn't being accepted by a Yahoo.ca account but Exchange kept trying and retrying. It was 6MB in size and would easily account for all that data seen over port 25. Since freezing the queue and deleting the message (with NDR) our internet connection has been smooth and I've only seen 47KB in data transfer over port 25, which is normal for us.

Phew! Still not fun but better than it being malware and relaying spam and ticking off many people.

Thank you everyone who contributed, I learnt a lot today. I'm going to distribute the points across those who helped.
0
 
emgee11Author Commented:
Awarding points for all the instructional information, tips and pointers to tools and articles that helped me in tracking down the problem.
0
 
Ernie BeekExpertCommented:
Good job!

And thx for your points, glad it's resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

  • 14
  • 6
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now