petekni
asked on
Inbound port 25 SMTP exchange 2010 suddenly rendering internet unusable - HELP!
Hi experts
I really hope someone can help me! We run a SBS2011 server behind a draytek 2800 router / firewall.
In the last week the internet connection in the office and VPN users have found the system unusable, we thought it was our telecoms provider but last night after about 8 hours of diagnosis I've concluded that it's some kind of traffic on port 25, inbound to our mail server... As soon as I remove the port 25 forwarding to the SBS server the system livens up and becomes usable again.
We have a rule on the firewall explicitly allowing external SMTP only from the SBS2011 server
I've considered DDOS, or someone hacking us... however I have managed to track it down to 2 IP address ranges by reading the firewall logs... i've created 2 rules on the firewall to explicitly block inbound traffic from these ranges on port 25... this worked and I thought i'd solved it until I checked our MX records and discovered that these 2 exact ranges are those of my MX records which goes via "SMTP Routes" (Which I believe is GFI).
These are the ranges;
5.10.67.X
94.186.192.X
Our MX records are as follows;
10 killoughery.eu.pri-mx.uk01 07.smtprou tes.com 94.186.192.101
90 killoughery.eu.bak-mx.uk01 07.smtpbak .com 5.10.67.124
Surely if we were being hacked it wouldn't be from our mail filtering company?
Nothing changed on our server over the last few days, i've done an up to date virus scan and patched the server all up do date but am now honestly at a loss...
Mail trickles through when it's enabled and a message I sent last night arrived about 13 hours later, if you switch the inbound off, outbound mail sends almost immediately, otherwise it gets stuck.
I've tried everything I can think of! I have thought of restricting sessions on the recieve connector... but it was all fine before, something is happening and I think it's strange that the second you disable inbound SMTP traffic it's like day and night.
Everything in the servers event logs looks normal... A lot of sessions are created on the router / firewall once you enable port 25...
Before I contact GFI / SMTProutes to see if they're spamming our IP, is there anything else I can check on our side, on the firewall or on our exchange server?
Any help would be masively appreciated, i'm a relatively advanced technician but am out of ideas!
Some files attached
1.PNG
2.PNG
I really hope someone can help me! We run a SBS2011 server behind a draytek 2800 router / firewall.
In the last week the internet connection in the office and VPN users have found the system unusable, we thought it was our telecoms provider but last night after about 8 hours of diagnosis I've concluded that it's some kind of traffic on port 25, inbound to our mail server... As soon as I remove the port 25 forwarding to the SBS server the system livens up and becomes usable again.
We have a rule on the firewall explicitly allowing external SMTP only from the SBS2011 server
I've considered DDOS, or someone hacking us... however I have managed to track it down to 2 IP address ranges by reading the firewall logs... i've created 2 rules on the firewall to explicitly block inbound traffic from these ranges on port 25... this worked and I thought i'd solved it until I checked our MX records and discovered that these 2 exact ranges are those of my MX records which goes via "SMTP Routes" (Which I believe is GFI).
These are the ranges;
5.10.67.X
94.186.192.X
Our MX records are as follows;
10 killoughery.eu.pri-mx.uk01
90 killoughery.eu.bak-mx.uk01
Surely if we were being hacked it wouldn't be from our mail filtering company?
Nothing changed on our server over the last few days, i've done an up to date virus scan and patched the server all up do date but am now honestly at a loss...
Mail trickles through when it's enabled and a message I sent last night arrived about 13 hours later, if you switch the inbound off, outbound mail sends almost immediately, otherwise it gets stuck.
I've tried everything I can think of! I have thought of restricting sessions on the recieve connector... but it was all fine before, something is happening and I think it's strange that the second you disable inbound SMTP traffic it's like day and night.
Everything in the servers event logs looks normal... A lot of sessions are created on the router / firewall once you enable port 25...
Before I contact GFI / SMTProutes to see if they're spamming our IP, is there anything else I can check on our side, on the firewall or on our exchange server?
Any help would be masively appreciated, i'm a relatively advanced technician but am out of ideas!
Some files attached
1.PNG
2.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I just looked at your attached images and noticed that your have both ip-Address setup with a 24 bit subnet rather then 32 bit. Not sure if this is the proper way to setup a firewall rule for your device. I use a Cisco ASA firewall and I have to make my rule for NAT to use 32 bit subnet.
Not sure if this is opening your firewall up, but it might be worth a try to set this up as 255.255.255.255 rather then 255.255.255.0.
If you are being targeted they maybe using other ip if they are yours.
Not sure if this is opening your firewall up, but it might be worth a try to set this up as 255.255.255.255 rather then 255.255.255.0.
If you are being targeted they maybe using other ip if they are yours.
ASKER
Hi Yo Bee
YEs I did this intentionally, I wanted to block anything from that range, each time it was retrying it was using a different IP in at the end
i,e,
94.186.192.101 Then 94.186.192.220
So I wanted to block any IP on the 94.186.192.X range. This bit "94.186.192" was the same each time.
Hope that makes sense
Anyway regardless if it's the rules or I just shut off port 25, still has the same effect.
Still stuck!
YEs I did this intentionally, I wanted to block anything from that range, each time it was retrying it was using a different IP in at the end
i,e,
94.186.192.101 Then 94.186.192.220
So I wanted to block any IP on the 94.186.192.X range. This bit "94.186.192" was the same each time.
Hope that makes sense
Anyway regardless if it's the rules or I just shut off port 25, still has the same effect.
Still stuck!
It does.
Are your event logs on the SBS have any events that are related to mail flow
Are your event logs on the SBS have any events that are related to mail flow
ASKER
No, Nothing! all looks normal...
Also it's only inbound SMTP causing the issue... as soon as I shut the port down for incoming traffic the network speed increases significantly and I am still able to send mail externally from within the organisation.
Also both of those IP ranges as mentioned are our SPAM filtering provider... at a total loss :(
Left the port open all day hoping it would die down after some time but it's still unusable...
Also it's only inbound SMTP causing the issue... as soon as I shut the port down for incoming traffic the network speed increases significantly and I am still able to send mail externally from within the organisation.
Also both of those IP ranges as mentioned are our SPAM filtering provider... at a total loss :(
Left the port open all day hoping it would die down after some time but it's still unusable...
Are you routing mail out to your spam filter provider ?
If not I would suspect that they are the root to the issue.
I use a provider and they had a DoS attack that brought mail to a crawl.
Have you spoke to them as of yet?
If not I would suspect that they are the root to the issue.
I use a provider and they had a DoS attack that brought mail to a crawl.
Have you spoke to them as of yet?
ASKER
Hi there
Yes in and out goes via a filter
Inbound is via MX record
Outbound is via an SMTP connector configured in exchange.
You think they may have been hacked then? I can't get hold of them as it's the weekend but I have emailed
Yes in and out goes via a filter
Inbound is via MX record
Outbound is via an SMTP connector configured in exchange.
You think they may have been hacked then? I can't get hold of them as it's the weekend but I have emailed
If you stop routing the mail via your filter you said mail flows. If so I would suspect they are the root.
ASKER
No if I disable INBOUND mail, then mail flows out, otherwise it gets stuick
Do you recommend bypassing the smart host on the SMTP Connector then and using DNS?
Do you recommend bypassing the smart host on the SMTP Connector then and using DNS?
ASKER
Tried routing mail via MX record rather than the smart host on the SMTP connector, has gone really laggy again, i'll leave it for a few hours and see if it clears anything... I'm not full of hope though as it's the inbound SMTP that seems to be causing the issue :(
ASKER
That didnt work... set it back to the smart host
So if I send mail from within the organisation to my Gmail account, it won't get there
The second I block port 25 to the SMTP server the message arrives in my inbox, as soon as I turn it back on and reply from my gmail, it takes hours (like 13) to get to my mailbox
Also the connections to the mail server increase significantly (see screenshot)
The exchange remote connectivity analyser produces the following (attached) too when port 25 IS enabled
But some messages are getting in... I'm getting lost in it all :( Hope someone can throw me a bone!?
3.PNG
4.PNG
So if I send mail from within the organisation to my Gmail account, it won't get there
The second I block port 25 to the SMTP server the message arrives in my inbox, as soon as I turn it back on and reply from my gmail, it takes hours (like 13) to get to my mailbox
Also the connections to the mail server increase significantly (see screenshot)
The exchange remote connectivity analyser produces the following (attached) too when port 25 IS enabled
But some messages are getting in... I'm getting lost in it all :( Hope someone can throw me a bone!?
3.PNG
4.PNG
What is you do not route out a smart host at all?
Just send direct to the recipient address.
I this sounds like an an issue with your host.
Just send direct to the recipient address.
I this sounds like an an issue with your host.
ASKER
Very good, spot on Sudeep
I contacted our SPAM filtering company who advised me that someone is Spamming our domain using different variations of firsname@domain.com sending large attachments.
I had to create a white list for our genuine email users, our domain was getting hammered.
Thanks for your help!
I contacted our SPAM filtering company who advised me that someone is Spamming our domain using different variations of firsname@domain.com sending large attachments.
I had to create a white list for our genuine email users, our domain was getting hammered.
Thanks for your help!
Glad it was pin pointed.
Good luck.
Good luck.
ASKER
Turns out someone had plugged the router into a different internet line that was only 0.5mb down and 0.7mb up... the SMTP traffic was normal! Red herring!
Wowsers but thanks for all of your comments and help
Wowsers but thanks for all of your comments and help
Do you know who?
ASKER
Yes someone who was in there putting in a CCTV system! an internal person who knows a little bit about IT!
ASKER
Thanks for the reply... so do I just leave port 25 open and wait? Is there anything I Can do to help the situation whilst it dies down?