Windows 2000 Advanced Server, SMTP exploited?

Forum Moderators: open

Message Too Old, No Replies

Windows 2000 Advanced Server, SMTP exploited?

seriously need help, spammer has taken over smtp...

macrost

2:39 pm on Nov 21, 2003 (gmt 0)

Everyone,
Ok, here's the situation... we have relaying turned off, and still the spammer is still able to access our smtp once we turn the service back on. We are using Merak software as our email... So far we have the firewall turned on for it which is successful in blocking it. Now in the bounce backs, every ip and email addy is spoofed, so how can we track this down? Our server is fully patched, and there are no viruses on the system.

Quick history: We are using our webserver as our company mail server also. When we turn the firewall on, we can receive but not send, and this is hampering our corporate communications. Does anyone have any thoughts or ideas on how to track this, and stop?

Thanks,
Mac

powerstar

2:45 pm on Nov 21, 2003 (gmt 0)

Did you try POP before SMTP on Merak? They will need to log to the POP so they must have an account before they allow to send. You can also set it up to only allow sending email from your local IPs

macrost

2:52 pm on Nov 21, 2003 (gmt 0)

Ok, I have found an IP that is through out all the logs, and it points to a domain in China. Now could this be the real thing, or could it be spoofed/proxied through them? What would be the best way to track that down?

Mac

musicales

4:36 pm on Nov 21, 2003 (gmt 0)

I had the same problem with someone spoofing the email address - we also have merak, but I wasn't aware they needed to actually use our server to be able to spoof. Do keep us sposted if you find out more.

macrost

4:47 pm on Nov 21, 2003 (gmt 0)

Ok, the chinese ip address is listed in 3 of the 4 open relay databases. So that means that martians could possibly use them as an annon proxy! Well good news is the spam hasn't started today yet.

Mac

musicales

5:24 pm on Nov 21, 2003 (gmt 0)

Can you confirm this is the same problem I have - the only way I'm aware people are using my address as a spam is I get bounced emails flooding my email address from almost_anything@my_domain.com to half the yahoo addresses in christendom.

richlowe

5:53 pm on Nov 21, 2003 (gmt 0)

I use this to validate whether my server is an open relay or not.

[abuse.net...]

Richard

dcheney

5:59 pm on Nov 21, 2003 (gmt 0)

I read an article (sorry, don't recall where) about a week ago mentioning this sort of problem. The easy fix was to disable the guest account on the machine - you might try that.

richlowe

8:47 pm on Nov 21, 2003 (gmt 0)

This document:

[nsa.gov...]

On this site:

[nsa.gov...]

Contains information about how to secure SMTP on Windows IIS 5.0

Richard