• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1886
  • Last Modified:

Kerio Mail Server 7.1 sending vast quantities of spam

Good evening all

I'm trying to discover what is making a Kerio Mail Server installation, running on a Windows 2008 R2 Standard Edition server, send out huge quantities of spam. Fortunately the ISP blocked this sudden flood before the mail server started appearing on RBLs, but it was probably a close thing.
I've temporarily blocked outgoing traffic on port 25 at the firewall and deleted over 80,000 messages from its message queue; as I reached the last couple of hundred I found that spam was being produced more quickly than I could delete it, at least from within Kerio Mail.

(A side question here - is it safe to delete the contents of the Queue folder in the Kerio installation using Windows Explorer? That would be much quicker than the miserable speed of Kerio's own web interface).

Also, while Kerio was running, the W2K8 server was generally very sluggish when opening other browser windows or Task Manager; however, when I turned off the Kerio server, performance returned to normal.
I've run a virus scan with Eset AV 4.2.71 and Malwarebytes, which came up clean. I've studied the processes tab in Task Manager until my eyes crossed, and done similar with Process Explorer from Sysinternals, without finding anything unusual. I've run open relay tests on the server that have been passed without problems. Netstat shows that the destination IP address that much of this spam appears to be directed towards is, according to RIPE, located in Baghdad!

How can I discover the hidden process that is causing this behaviour? The server itself is a basic HP pedestal server with a RAID array, so I can't just remove its storage and mount it in a USB enclosure to gain full access to all the files on it.

This is fairly urgent, as tomorrow will be the second day without email...
0
Perarduaadastra
Asked:
Perarduaadastra
1 Solution
 
BudDurlandCommented:
I would try the simple stuff first.  Make sure your server is not an open relay in the SMTP server settings.  In Kerio, you can turn on logging of all inbound and outbound SMTP traffic.  An examination of this should show where the traffic is coming from, whether the server itself, an errant workstation, or an outside user that has compromised one of your user mail accounts.
0
 
Davis McCarnOwnerCommented:
Get a copy of Nirsoft's Current Ports so you can inspect the actice TCP/UDP port listing to see who is feeding you the spam: http://www.nirsoft.net/utils/cports.html  With it you can also kill the processes and identify the remote ip address.
0
 
PerarduaadastraAuthor Commented:
I will have to return to the site before I can check the logging on the Kerio server, which won't be until later this week. I'll report back then on what I find.

I'll run the cports utility at the same time and see what it comes up with.

Thanks for the input so far.
0
 
Sudeep SharmaTechnical DesignerCommented:
First think I would check is if your email server is acting as an open relay or not. To do this check with any of the following links:

http://www.checkor.com/

http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

If you found your server IP open relay then you may need to fix that first.

Sudeep
0
 
PerarduaadastraAuthor Commented:
Sorry for the delay in returning to this question.

Checking for open relay was the first thing I did, as it's simple and quick, and all was in order.

I didn't realise that logging in Kerio could show incoming connections; this enabled me to pinpoint an infected client computer that was actually on another site. This was dealt with, and the SMTP port was changed from 25 to 587 at the request of the ISP.

This seems to have fixed it, as there hasn't been a recurrence since these things were done.

Therefore it seems that BudDurland gets the points; DavisMcCarn's suggestion has given me another excellent tool to use, but I had discovered the cause of the problem before I actually used it.

If anyone disagrees with this summary please let me know in the next day or two, or I'll award the points and close the question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now