Solved

Abnormal traffic on port 25

Posted on 2011-02-24
29
792 Views
Last Modified: 2012-08-14
Hi All.

We are running the following:

Microsoft Small Business Server Premium 2003
Sonicalwall TZ170 Router
Workstations are all Windows XP SP3

Over the past few weeks we've noticed our internet connection has been pokey from time-to-time. I checked out the hardware, but everything appears to be good. Spoke with my ISP and tested stuff with them and no issues there.

So, I enabled traffic logging on the router and noticed a lot of bandwidth going out over port 25. In a few days, 2GB and we don't e-mail that much. We have 4 active workstations that maybe send 3 to 10 e-mails a day, but nothing to add up to 2GB. So I reset the log and in a matter of minutes over 30MB was transferred over port 25. The log shows it originating from the server's IP address.

I checked the message tracking centre in Exchange and I only see e-mails we've sent, no e-mails are showing up in there that are not recognized. There is nothing in our queues either. So perhaps, it may not be the server itself? I am running Microsoft's Malicious Software Removal Tool on our server right now.

We use DHCP and all our workstations point to the server's IP for DNS, DHCP and WINS. The default gateway is the router's IP.

I've previously run scans on the workstations and so far they've come up clean. I'm running them again now.

I could really use some assistance here to track down what is happening. I certainly don't want our system firing out spam or otherwise. I'm not an expert, I know my way around but don't worry about insulting me by explaining in detail any steps I should take to help find the source of the problem.

Thank you all.
0
Comment
Question by:emgee11
  • 14
  • 6
  • 4
  • +3
29 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34971235
You first might want to check if your server isn't relaying: http://www.mxtoolbox.com/diagnostic.aspx
0
 

Author Comment

by:emgee11
ID: 34971304
@erniebeek:

Thanks for the suggestion. I've tried that too and just tried it again, but only get the following message:

Timeout occurred due to inactivity.
2/24/2011 10:12:38 AM Connection attempt #1 - Timeout occurred due to inactivity. [16.21 sec]

I entered the external IP address assigned to the router. Not entirely clear if that means we're good to go or not. I assume it does since it couldn't connect?
0
 

Author Comment

by:emgee11
ID: 34971328
I also ran the port scan at mxtoolbox.com and it showed the following ports as being closed:

21, 22, 23, 25, 53, 80, 110, 143, 139, 389, 443, 587, 1352, 1433, 3306, 3389, 8080
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34971474
Well, it depends on how are thing set up. Mail for your domain should be delivered at your mailserver. So on the internet when I want to send a mail to you@yourdomain.com, my mailserver looks up the MX record for yourdomain.com. DNS should the return something like mail.yourdomain.com which points to the ip address of your server. That doesn't necessarily have to be the public ip address of your router.

To make sure do an mslookup at http://www.mxtoolbox.com/ and just put in your domain there (that's everything behind the '@').
0
 
LVL 12

Expert Comment

by:Amick
ID: 34971488
You're having trouble because the qwinsta command is a server command, and not part of the Windows 7 distribution.  It did get shipped as part of a patch, so you may find it in  C:\Windows\winsxs\amd64_microsoft-windows-t..commandlinetoolsmqq_31bf3856ad364e35_6.1.7600.16385_none_851e6308c5b62529, but it is not a completely operable version.
0
 
LVL 41

Expert Comment

by:Amit
ID: 34971562
0
 

Author Comment

by:emgee11
ID: 34971611
@erniebeek:

Ok, we have a 'weird' setup. We use Exchange to send e-mails out, but use a POP3 connector (iGetMail) to pull down our e-mail from our ISP's mail server. So when people reply to us our ISP's servers receive the e-mail and or connector polls every 5 minutes to pull them down to Exchange (and leaves it on the ISP as well).

It works very well for us, we have backup access to e-mail should anything happen to our Exchange/SBS box and have easy remote access. We have internal e-mail and common e-mail folders for shared e-mail accounts such as "info", "support", etc.

If I put in our domain it will resolve to our ISP's mail servers. Our external IP address is setup for reverse DNS so that mails sent from our Exchange box don't have issues being received. I have setup SPF records to for our IP address too. I hope that makes some sense.

0
 

Author Comment

by:emgee11
ID: 34971655
@amitkulshrestha

I will install it and check it out. Any information from it I can post to help?
0
 
LVL 41

Expert Comment

by:Amit
ID: 34971684
You need to follow this http://support.microsoft.com/kb/148942
0
 
LVL 12

Expert Comment

by:Amick
ID: 34971828
*** I misposted the response regarding qwinsta to this question. My apologies to all. ***

Moderator: please remove my comments on this question.
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 75 total points
ID: 34972054
Here is what you can try.
Presumably your internal systems are configured to send emails through your local exchange server.

You can configure your outgoing rules on the sonicwall to limit which systems can send out emails.
i.e. limit ougoing port 25 connections to the exchange server.
Log the denies for outgoing port 25 and see whether that counter increments.  The other possibility is that you are getting spammed.  When you pop the messages and the server sees email messages for recipients that do not exist, it generates a non-delivery response message to the sender of the message.
Enable exchange logging and see what is going on if the port 25 restriction did not reveal a culprit i.e. a system that may have been compromised by a virus/bot, etc. that is being used to send out spam.
0
 

Author Comment

by:emgee11
ID: 34972334
@arnold:

Ok, I created two rules. One that says our server's internal LAN IP can send to any IP on the WAN on SMTP (25). And a second rule that denies LAN IPs from x.x.x.3 thru x.x.x.255 from transmitting on port 25 to the WAN.

I have "Subject Logging and Display" enabled, as well as "Message Tracking" enabled. Is that what needs to be enabled?
0
 
LVL 41

Expert Comment

by:Amit
ID: 34972426
Subject logging will help to trace down from where the emails are coming.
0
 
LVL 9

Assisted Solution

by:dexIT
dexIT earned 75 total points
ID: 34972633
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:emgee11
ID: 34972977
@dexIT:

Yep I just did. Our local SBS box did have an open relay. I just closed that up in case some we do have some internal malware that was exploiting that.

I do not see anything in the logs indicating that an authenticated user is relaying.

I followed the instructions here:
http://www.amset.info/exchange/spam-cleanup.asp

I assume the open relay would only be an issue for us if it is malware internal on our LAN because port 25 is closed on our router.
0
 

Author Comment

by:emgee11
ID: 34973005
We've had message logging on our Exchange server. If I go to the Message Tracking Centre I do not see any messages in their that look suspect. Everything I can account for.

However, my Sonicwall TZ170 shows that we've sent 400MB of data via port 25 originating from our SBS box in the last 3 hours. There is no way we've sent that much in e-mail.
0
 

Author Comment

by:emgee11
ID: 34973180
@amitkulshrestha:

I'm running the Microsoft Network Monitor. To be honest I'm not entirely certain what I should looking for. However, I do not see any conversations??? on port 25.

I have it installed on my workstation and am looking at its conversations as well as under "Other Traffic".
0
 
LVL 9

Expert Comment

by:dexIT
ID: 34973267
Do you have any network devices, such as a printer which could email PDFs, etc?
0
 

Author Comment

by:emgee11
ID: 34973320
@dexIT:

Yes we do, but those have all been disabled at the device level and WAN access for those IPs blocked on the router as well.
0
 

Author Comment

by:emgee11
ID: 34973329
An update: The Microsoft Malicious Software Tool completed without finding any infected files.
0
 
LVL 41

Expert Comment

by:Amit
ID: 34973566
Hi emgee11,

In Exchange 2003 mail flow happens like this. An size conversion also happens. It is normal that a 10 MB attachment can become 12MB during conversion. Thanks for MIME part. I really do see 400MB is very huge trafic

1 MAPI client sends a message to a remote recipient
2 Information Store (Store.exe) receives the message
3 The created MailMsg object is forwarded to the Advanced Queue Engine (AQE)
4 The Message Categorizer from the AQE processes the MailMsg object and splits it into MIME or RTF as necessary
5 The Message Categorizer expands groups and checks defined Message limits on Exchange
6 The MailMsg object is then transferred to the Remote Destination Domain within the AQE
7 The AQE passes the destination address to the Exchange Routing Engine
SMTP initiates an SMTP session with the remote SMTP host
8 After the SMTP session with the remote host has been established, the information store retrieves the body of the message and converts the message as necessary
9 SMTP sends the Message from the Queue to the Remote Host
0
 

Author Comment

by:emgee11
ID: 34973634
Update: one thing I'm seeing on my router is my server is sending out on port 43137 to port 25 at another IP address. It sends about 6mb or so, then the listing disappears and another connection starts up. So far, all the destination IP addresses resolve to yahoo.com (doing lookups I see mta-v2.mail.vip.mud.yahoo.com, mta-v1.mail.vip.ac4.yahoo.com, etc.).

Perhaps I have a hung-up outbound message that keeps trying to deliver itself???
0
 
LVL 41

Accepted Solution

by:
Amit earned 200 total points
ID: 34973653
If possible, stop and start the SMTP from ESM.
0
 
LVL 41

Expert Comment

by:Amit
ID: 34973660
Or keep it STOP and if you still saw the traffic
0
 

Author Comment

by:emgee11
ID: 34973829
In the queue there is an SMTP connector for Yahoo.ca; I've frozen it for now.

I no longer see the connections opening on the router to the yahoo IPs. It was continuous while I was refreshing. It send about 6MB then a new connection would open and start sending another 6MB. This is an e-mail we did send with around 6MB in attachments.

How can I go about stopping this e-mail from retrying?

Thanks all so far, been learning a lot again!
0
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 150 total points
ID: 34974364
Just checking in, but it looks like you're getting there :)

For your last question, perhaps this might help: http://support.microsoft.com/kb/822944

Good luck.
0
 

Author Comment

by:emgee11
ID: 34974667
@all:

Looks like the problem has been resolved!

It was an e-mail that wasn't being accepted by a Yahoo.ca account but Exchange kept trying and retrying. It was 6MB in size and would easily account for all that data seen over port 25. Since freezing the queue and deleting the message (with NDR) our internet connection has been smooth and I've only seen 47KB in data transfer over port 25, which is normal for us.

Phew! Still not fun but better than it being malware and relaying spam and ticking off many people.

Thank you everyone who contributed, I learnt a lot today. I'm going to distribute the points across those who helped.
0
 

Author Closing Comment

by:emgee11
ID: 34974708
Awarding points for all the instructional information, tips and pointers to tools and articles that helped me in tracking down the problem.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34974732
Good job!

And thx for your points, glad it's resolved.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now