Link to home
Start Free TrialLog in
Avatar of Mike_Stevens
Mike_StevensFlag for United States of America

asked on

Spam being sent using SMTP sever

I am having a problem with someone sending spam using our SMTP mail server that is part of our website hosting account.  It has happened several times over the past few weeks and when the web host sees it they go in a change our mail server passwords to stop it, which it does.    

On several occasions I have changed the mail server passwords and control panel passwords to a strong password of at least 30 characters or more but it seems like it is just a matter of time before that are back.

 I have ran spyware detectors and anti-virus software on all computers on the network to make sure it is not internal.  I know I will probably never know who is doing this but what can I do to stop it for good?
SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of LockDown32
LockDown32
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan
Maybe some considerations
There is a trick that allows you to remove authenticated submission and relaying, and yet still allow Exchange servers to communicate with each other. To do this, remove the default Authenticated Users group from the Permissions for Submit and Relay dialog box, leaving the Group or user names box empty (see Figure 4), and then click OK. Now Integrated Authentication access is allowed on the SMTP Virtual Server, but no user or group can actually use it. Only Exchange servers within the same organization can use it to communicate with each other.
https://technet.microsoft.com/en-us/magazine/2006.01.stopspam.aspx

Some good guidance
If a remote user is authenticating against the Small Business Server computer as part of an operation to relay SMTP e-mail, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was company\username.

In this case, if the relaying appears to come from a hacked account password, go to the Active Directory Users and Computers snap-in and delete the account, disable the account, or change the password on the account.


If a remote user is authenticating against the Small Business Server as part of an operation to relay SMTP e-mail using the guest account, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:27:52 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was COMPANY\Guest.

In this case, the remote user is exploiting the guest account. Use the Active Directory Users and Computers snap-in to disable the guest account. Note It is not sufficient to change the password on the guest account. You must disable the guest account.
https://support.microsoft.com/en-us/kb/324958
SOLUTION
Avatar of David Atkin
David Atkin
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mike_Stevens
Mike_Stevens
Flag of United States of America image

ASKER

We are not using exchange.  It is a POP3 mail server that checks a catchall mailbox configured as part of the web hosting account.    I am reviewing the SMTP logs for the mail server but dont see anything that is not normal.
ASKER CERTIFIED SOLUTION
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Jan Bacher
Jan Bacher
Flag of United States of America image
A POP3 server is rarely an SMTP server unless it's pop auth before smtp.
Avatar of Mike_Stevens
Mike_Stevens
Flag of United States of America image

ASKER

The operating system of the machine running the mail server software is Windows 10.  The server software is https://www.icewarp.com.  We have been running this configuration for 15 years without issue.

In the web hosting account is one catchall mailbox.  The pop3 mail server checks that mailbox every minute for mail then downloads it and the mail server software takes care of distributing the mail to the user mailboxes.   When a user sends an email the mail server software using the SMTP server info for the SMTP server that is part of our hosting account.