With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?
Solved
possible infected spam server? trying to track down what is sending out spam
Posted on 2011-03-10
I am running exchange 2003 sp2 and have barracuda spam filter filtering inbound and outbound.
pop3
imap
rpc/http is enabled
i have a situation where spam is being sent by my servers. The ip in the headers are from a foregin country. They are somehow connecting to my email server and sending out spam.
could it be possible that one of my pop/imap users is infected with a virus and authenticating and then seding out spam?
how can i find the offending users.
I turned up loggin on pop3 and imap but do not see the offending ip anywhere.
need help in tracking down the offending user. or can it be my server has a security hole?
i am blocking the spam going outbound from the spam filter but need to get to the bottom
why its sending out.
Thanks in advance
X-ASG-Debug-ID: 1299760893-00f14f5fb10f8d0
X-Barracuda-Envelope-From:
Received: from User ([207.194.87.105]) by server1.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 10 Mar 2011 07:41:33 -0500
Reply-To: dtglvl@tvdirectsat.tv
X-Barracuda-Apparent-Sourc
X-Barracuda-BBL-IP: 207.194.87.105
X-Barracuda-RBL-IP: 207.194.87.105
From: Online TV Software<dtglvl@tvdirectsa
Subject: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
Date: Thu, 10 Mar 2011 14:41:27 +0200
X-ASG-Orig-Subj: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
pop3
imap
rpc/http is enabled
i have a situation where spam is being sent by my servers. The ip in the headers are from a foregin country. They are somehow connecting to my email server and sending out spam.
could it be possible that one of my pop/imap users is infected with a virus and authenticating and then seding out spam?
how can i find the offending users.
I turned up loggin on pop3 and imap but do not see the offending ip anywhere.
need help in tracking down the offending user. or can it be my server has a security hole?
i am blocking the spam going outbound from the spam filter but need to get to the bottom
why its sending out.
Thanks in advance
X-ASG-Debug-ID: 1299760893-00f14f5fb10f8d0
X-Barracuda-Envelope-From:
Received: from User ([207.194.87.105]) by server1.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 10 Mar 2011 07:41:33 -0500
Reply-To: dtglvl@tvdirectsat.tv
X-Barracuda-Apparent-Sourc
X-Barracuda-BBL-IP: 207.194.87.105
X-Barracuda-RBL-IP: 207.194.87.105
From: Online TV Software<dtglvl@tvdirectsa
Subject: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
Date: Thu, 10 Mar 2011 14:41:27 +0200
X-ASG-Orig-Subj: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
3-
2
5 Comments
Active 1 day ago
You are more than likely an authenticated relay and thus this will be bypassing your Barracuda device as it is being allowed through because of authentication.
Please have a read of my article for details of what to do:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
Please have a read of my article for details of what to do:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
so far so good, i think i found the user account. I will give it a day and see if its the one.
Do you normally turn off logging after? isnt this something that should be on all the time to send to a log server?
Do you normally turn off logging after? isnt this something that should be on all the time to send to a log server?
Active 1 day ago
Yes - once all has died down - return the logging back to normal otherwise your logs will fill up with not very useful info.
You can have it on all the time if you like, but you may then miss useful log info as they drop off the end of the logs so I would turn it off and only turn it on again if you need to.
You might want to have a read of my two blog entries for some more useful info:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
You can have it on all the time if you like, but you may then miss useful log info as they drop off the end of the logs so I would turn it off and only turn it on again if you need to.
You might want to have a read of my two blog entries for some more useful info:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
- IT Administration
- Hardware Firewalls
- Cybersecurity
- Network Management
- Network Security
- WatchGuard, Security
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Recipients >> Contact ta…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Servers >> Data…
Suggested Courses
Course of the Month14 days, 7 hours left to enroll
649 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.