Email Panick
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Email Panick

  1. #1
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    Email Panick

    Hey all, forgive me - I only searched for a moment for info but I am in a bit of a panick. My mail server which was located to a backup while my cluster was rebuilt failed today. I looked at the BAD message folders and outgoing gueues to find them full, the sever drive had 8kb. Well I then said F. Me and notices they were spam messages from postmaster@mydomain.com. I deleted all bad messages and deleted the postmaster account. The outgoing bad messages pretty much stopped. I looked at the open relay database and didn't find myself there, but spamcop says I have been spamming for 9 days. F. Me again. Now I am trying to determine the cause, sever break or some client on my network that is either intentionally spamming or got a bug. I know I can run Spybot on every machined but I was hopeing for some insight since I am panicking an perhaps we could learn from my mistakes? Thanks all peace.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Road old chap..... The customary OS, mailserver etc. etc. would help an awful lot....

    Oh.... and how's your logging????
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member linuxcomando's Avatar
    Join Date
    Sep 2001
    Posts
    432
    perhaps relaying is enabled?
    I toor\'d YOU!

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    LOL sorry, Exchange 2000 on Windows server 2k. All security patches antivirus firwall router safguards in place and patched. The server isn't relaying in the normal sense, still trying to determine cause but everytime I enable SMTP the thing chugs away. Logs don't show any 1706 1707 or 1708 type entries that would indicate a user account that has been compromised. If I watch the connections no one connects for very long. The email leaving was significantly reduced when I removed the option to allow authenticated relays but like I said this thing start burping out viagra adds when SMTP is on. Still working it and less panic's now. POS.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings:

    I agree with the others, in that you shouldn't be looking at the client-side (aka spambot and the like), but rather the server side.

    Your server shouldn't be allowing this type of activity, regardless of what client-end apps are trying to get it to do.

    Make sure that you have relaying turned off. Also, most mail server applications also can be configured to limit the total number of inbound/outbound e-mails sent/received by any individual account. This way, even if the client is using authentication to send out-bound e-mails in gross excess, your server will eventually stop the problem and flag you before it gets out of hand.

    More specifics on your architecture would be helpful if you're interested in more specific answers.

  6. #6
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    softcomplex.com IP 216.117.134.103 connected for 256 seconds now? Ring a bell with anyone? The web page says IT consulting firm.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Thanks for the info JP, I am trying to work on it and juggle a few things at the same time. I "think" someone busted an exchange user account. I have active directory so the windows user acount authentication is the same for exchange. At least that's my working theory after examining everything. I have advanced my logging to determine who it is. Sorry if I am not pasting much. I am working with a friend on the phone.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I am burnt, fixed and cleaned. I had and authenticated relay so I got had by some poor password maintenance. It looks like the spammer authenticated my local box admin account with a bot. How you ask? Got me didn't know that could be possible through telnet? I now see some lacking in Exchange knowledge that I must fix. I had log entries of //MachineName/Administrator popping up the 1708 id. The cleanup was ugly I am tired so I'll talk more on it tomorrow if anyone want too. You can all beat me with the AO stick of justice.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #9
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Road Closed - Glad you sorted it - Do you know who the spammer was?

    Note to less experienced members:

    This just goes to demonstrate that even the senior members who have more knowledge than most don't know everything!

    Keep learning folks

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  10. #10
    This just goes to demonstrate that even the senior members who have more knowledge than most don't know everything!
    Thank you Dr Zoidberg! *eats some trash. AO is nice for that because when someone writes a tutorial, it can't just be **** or nobody will read it. It gets looked over and reviewed by other people who know their stuff.

    -Cheers-

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •