Kerio Mail Server 7.1 sending vast quantities of spam

Posted on 2011-10-20
Last Modified: 2012-05-12
Good evening all

I'm trying to discover what is making a Kerio Mail Server installation, running on a Windows 2008 R2 Standard Edition server, send out huge quantities of spam. Fortunately the ISP blocked this sudden flood before the mail server started appearing on RBLs, but it was probably a close thing.
I've temporarily blocked outgoing traffic on port 25 at the firewall and deleted over 80,000 messages from its message queue; as I reached the last couple of hundred I found that spam was being produced more quickly than I could delete it, at least from within Kerio Mail.

(A side question here - is it safe to delete the contents of the Queue folder in the Kerio installation using Windows Explorer? That would be much quicker than the miserable speed of Kerio's own web interface).

Also, while Kerio was running, the W2K8 server was generally very sluggish when opening other browser windows or Task Manager; however, when I turned off the Kerio server, performance returned to normal.
I've run a virus scan with Eset AV 4.2.71 and Malwarebytes, which came up clean. I've studied the processes tab in Task Manager until my eyes crossed, and done similar with Process Explorer from Sysinternals, without finding anything unusual. I've run open relay tests on the server that have been passed without problems. Netstat shows that the destination IP address that much of this spam appears to be directed towards is, according to RIPE, located in Baghdad!

How can I discover the hidden process that is causing this behaviour? The server itself is a basic HP pedestal server with a RAID array, so I can't just remove its storage and mount it in a USB enclosure to gain full access to all the files on it.

This is fairly urgent, as tomorrow will be the second day without email...
Question by:Perarduaadastra
    LVL 17

    Accepted Solution

    I would try the simple stuff first.  Make sure your server is not an open relay in the SMTP server settings.  In Kerio, you can turn on logging of all inbound and outbound SMTP traffic.  An examination of this should show where the traffic is coming from, whether the server itself, an errant workstation, or an outside user that has compromised one of your user mail accounts.
    LVL 42

    Expert Comment

    by:Davis McCarn
    Get a copy of Nirsoft's Current Ports so you can inspect the actice TCP/UDP port listing to see who is feeding you the spam:  With it you can also kill the processes and identify the remote ip address.
    LVL 15

    Author Comment

    I will have to return to the site before I can check the logging on the Kerio server, which won't be until later this week. I'll report back then on what I find.

    I'll run the cports utility at the same time and see what it comes up with.

    Thanks for the input so far.
    LVL 29

    Expert Comment

    by:Sudeep Sharma
    First think I would check is if your email server is acting as an open relay or not. To do this check with any of the following links:

    If you found your server IP open relay then you may need to fix that first.

    LVL 15

    Author Comment

    Sorry for the delay in returning to this question.

    Checking for open relay was the first thing I did, as it's simple and quick, and all was in order.

    I didn't realise that logging in Kerio could show incoming connections; this enabled me to pinpoint an infected client computer that was actually on another site. This was dealt with, and the SMTP port was changed from 25 to 587 at the request of the ISP.

    This seems to have fixed it, as there hasn't been a recurrence since these things were done.

    Therefore it seems that BudDurland gets the points; DavisMcCarn's suggestion has given me another excellent tool to use, but I had discovered the cause of the problem before I actually used it.

    If anyone disagrees with this summary please let me know in the next day or two, or I'll award the points and close the question.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    New-MailboxSearch Powershell Command and step by step approach to Search and Extract Emails form Exchange 2013 Journaling server.
    Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
    To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
    This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now