Kerio Mail Server 7.1 sending vast quantities of spam
Posted on 2011-10-20
Good evening all
I'm trying to discover what is making a Kerio Mail Server installation, running on a Windows 2008 R2 Standard Edition server, send out huge quantities of spam. Fortunately the ISP blocked this sudden flood before the mail server started appearing on RBLs, but it was probably a close thing.
I've temporarily blocked outgoing traffic on port 25 at the firewall and deleted over 80,000 messages from its message queue; as I reached the last couple of hundred I found that spam was being produced more quickly than I could delete it, at least from within Kerio Mail.
(A side question here - is it safe to delete the contents of the Queue folder in the Kerio installation using Windows Explorer? That would be much quicker than the miserable speed of Kerio's own web interface).
Also, while Kerio was running, the W2K8 server was generally very sluggish when opening other browser windows or Task Manager; however, when I turned off the Kerio server, performance returned to normal.
I've run a virus scan with Eset AV 4.2.71 and Malwarebytes, which came up clean. I've studied the processes tab in Task Manager until my eyes crossed, and done similar with Process Explorer from Sysinternals, without finding anything unusual. I've run open relay tests on the server that have been passed without problems. Netstat shows that the destination IP address that much of this spam appears to be directed towards is, according to RIPE, located in Baghdad!
How can I discover the hidden process that is causing this behaviour? The server itself is a basic HP pedestal server with a RAID array, so I can't just remove its storage and mount it in a USB enclosure to gain full access to all the files on it.
This is fairly urgent, as tomorrow will be the second day without email...