asked on
possible infected spam server? trying to track down what is sending out spam
I am running exchange 2003 sp2 and have barracuda spam filter filtering inbound and outbound.
pop3
imap
rpc/http is enabled
i have a situation where spam is being sent by my servers. The ip in the headers are from a foregin country. They are somehow connecting to my email server and sending out spam.
could it be possible that one of my pop/imap users is infected with a virus and authenticating and then seding out spam?
how can i find the offending users.
I turned up loggin on pop3 and imap but do not see the offending ip anywhere.
need help in tracking down the offending user. or can it be my server has a security hole?
i am blocking the spam going outbound from the spam filter but need to get to the bottom
why its sending out.
Thanks in advance
X-ASG-Debug-ID: 1299760893-00f14f5fb10f8d0
X-Barracuda-Envelope-From:
Received: from User ([207.194.87.105]) by server1.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 10 Mar 2011 07:41:33 -0500
Reply-To: dtglvl@tvdirectsat.tv
X-Barracuda-Apparent-Sourc
X-Barracuda-BBL-IP: 207.194.87.105
X-Barracuda-RBL-IP: 207.194.87.105
From: Online TV Software<dtglvl@tvdirectsa
Subject: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
Date: Thu, 10 Mar 2011 14:41:27 +0200
X-ASG-Orig-Subj: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
pop3
imap
rpc/http is enabled
i have a situation where spam is being sent by my servers. The ip in the headers are from a foregin country. They are somehow connecting to my email server and sending out spam.
could it be possible that one of my pop/imap users is infected with a virus and authenticating and then seding out spam?
how can i find the offending users.
I turned up loggin on pop3 and imap but do not see the offending ip anywhere.
need help in tracking down the offending user. or can it be my server has a security hole?
i am blocking the spam going outbound from the spam filter but need to get to the bottom
why its sending out.
Thanks in advance
X-ASG-Debug-ID: 1299760893-00f14f5fb10f8d0
X-Barracuda-Envelope-From:
Received: from User ([207.194.87.105]) by server1.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 10 Mar 2011 07:41:33 -0500
Reply-To: dtglvl@tvdirectsat.tv
X-Barracuda-Apparent-Sourc
X-Barracuda-BBL-IP: 207.194.87.105
X-Barracuda-RBL-IP: 207.194.87.105
From: Online TV Software<dtglvl@tvdirectsa
Subject: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
Date: Thu, 10 Mar 2011 14:41:27 +0200
X-ASG-Orig-Subj: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
Email ProtocolsExchangeIT Administration
Last Comment
Alan Hardisty
ASKER CERTIFIED SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Yes - once all has died down - return the logging back to normal otherwise your logs will fill up with not very useful info.
You can have it on all the time if you like, but you may then miss useful log info as they drop off the end of the logs so I would turn it off and only turn it on again if you need to.
You might want to have a read of my two blog entries for some more useful info:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
You can have it on all the time if you like, but you may then miss useful log info as they drop off the end of the logs so I would turn it off and only turn it on again if you need to.
You might want to have a read of my two blog entries for some more useful info:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
ASKER
Thanks for you expertise.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
You are welcome - glad I was able to help and sort your problem out.
Thanks for the points.
Alan
Thanks for the points.
Alan
Do you normally turn off logging after? isnt this something that should be on all the time to send to a log server?