[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Kerio Mail Server 7.1 sending vast quantities of spam

Posted on 2011-10-20
5
Medium Priority
?
1,774 Views
Last Modified: 2012-05-12
Good evening all

I'm trying to discover what is making a Kerio Mail Server installation, running on a Windows 2008 R2 Standard Edition server, send out huge quantities of spam. Fortunately the ISP blocked this sudden flood before the mail server started appearing on RBLs, but it was probably a close thing.
I've temporarily blocked outgoing traffic on port 25 at the firewall and deleted over 80,000 messages from its message queue; as I reached the last couple of hundred I found that spam was being produced more quickly than I could delete it, at least from within Kerio Mail.

(A side question here - is it safe to delete the contents of the Queue folder in the Kerio installation using Windows Explorer? That would be much quicker than the miserable speed of Kerio's own web interface).

Also, while Kerio was running, the W2K8 server was generally very sluggish when opening other browser windows or Task Manager; however, when I turned off the Kerio server, performance returned to normal.
I've run a virus scan with Eset AV 4.2.71 and Malwarebytes, which came up clean. I've studied the processes tab in Task Manager until my eyes crossed, and done similar with Process Explorer from Sysinternals, without finding anything unusual. I've run open relay tests on the server that have been passed without problems. Netstat shows that the destination IP address that much of this spam appears to be directed towards is, according to RIPE, located in Baghdad!

How can I discover the hidden process that is causing this behaviour? The server itself is a basic HP pedestal server with a RAID array, so I can't just remove its storage and mount it in a USB enclosure to gain full access to all the files on it.

This is fairly urgent, as tomorrow will be the second day without email...
0
Comment
Question by:Perarduaadastra
5 Comments
 
LVL 17

Accepted Solution

by:
BudDurland earned 2000 total points
ID: 37005660
I would try the simple stuff first.  Make sure your server is not an open relay in the SMTP server settings.  In Kerio, you can turn on logging of all inbound and outbound SMTP traffic.  An examination of this should show where the traffic is coming from, whether the server itself, an errant workstation, or an outside user that has compromised one of your user mail accounts.
0
 
LVL 44

Expert Comment

by:Davis McCarn
ID: 37005915
Get a copy of Nirsoft's Current Ports so you can inspect the actice TCP/UDP port listing to see who is feeding you the spam: http://www.nirsoft.net/utils/cports.html  With it you can also kill the processes and identify the remote ip address.
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 37020155
I will have to return to the site before I can check the logging on the Kerio server, which won't be until later this week. I'll report back then on what I find.

I'll run the cports utility at the same time and see what it comes up with.

Thanks for the input so far.
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 37063659
First think I would check is if your email server is acting as an open relay or not. To do this check with any of the following links:

http://www.checkor.com/

http://www.antispam-ufrj.pads.ufrj.br/test-relay.html

If you found your server IP open relay then you may need to fix that first.

Sudeep
0
 
LVL 15

Author Comment

by:Perarduaadastra
ID: 37165240
Sorry for the delay in returning to this question.

Checking for open relay was the first thing I did, as it's simple and quick, and all was in order.

I didn't realise that logging in Kerio could show incoming connections; this enabled me to pinpoint an infected client computer that was actually on another site. This was dealt with, and the SMTP port was changed from 25 to 587 at the request of the ISP.

This seems to have fixed it, as there hasn't been a recurrence since these things were done.

Therefore it seems that BudDurland gets the points; DavisMcCarn's suggestion has given me another excellent tool to use, but I had discovered the cause of the problem before I actually used it.

If anyone disagrees with this summary please let me know in the next day or two, or I'll award the points and close the question.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question