Results 1 to 9 of 9

Thread: SMTP analisys...

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    177

    Question SMTP analisys...

    Hi all, someone knows good software to inspect smtp logs (W3C format) of an SMTP Exchange server? I've opened one week ago in a server that doesn't still have MX register and the log's are huge! I would like to know what's going on...

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sanitize a portion of it and post it here 'cos I think you have been hijacked if you don't have an MX record yet.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Ok, i'm sending you a portion in a private... I've a lot of messages with no-ip and no-user, but i not allow to relay if the session isn't authenticated... How can they send messages then?


  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I have got your PM and tested you server for a relay......

    I have some bad news...... You are compromised in some way because your server denied me relay.

    You say that a session must be authenticated before it will allow relay. Change the authentication key and see if the activity stops. If it does then you need to keep changing it regularly and make it extremely complex. If it doesn't stop it then you are going to have to begin an investigation as to how they got on the box. Start with Virus and Trojan scanning and do complete scans of the entire machine. Use The Cleaner to scan for trojans and make sure that all definitions are updated before you do.

    Since you say there is no MX record set up yet I assume this is not a production server. That being the case I would block outbound SMTP from it at the firewall.... You do have a firewall, don't you?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Ok, i'll will explain you the situation. We use to receive email through an ISP that own the MX. Now, we are preparing to get the MX. This server have opened IMAP over SSL and SMTP over SSL with authentication to allow corporate users send and receive mail from internet. Few days ago i opened SMTP with anonymous authentication (but only relaying WITH authentication) to begin the test of redirect MX to it. I left this opened and today, when i look i found this huge logs... Now, i configured the server to allow only encrypted authentication (no anonymous sessions) and it stopped... so, if it is compromised, it would be the same even if only authenticaed sessions are allowed to send mail, isn't it?

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Then you are fixed..... I didn't try authing to the server just a simple relay check. Leaving the anon auth wasn't a good idea. Once you checked functionaility with anon I would have gone back to SSL encrypted auth and tested further from there because at that point I already know anon works thus the server is working. Any problems from that point on would be at the SSL level.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Thank you very much, but the anon without relying doesn't allows them to send email, maybe they got a user and password and use basic auth without SSL (i disbled this one too, now).

    When i have de MX... i only can filter ip?

    I found this, that's interesting...

    http://www.winnetmag.com/Article/Art...406/42406.html

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Just a thought. Why don't you use OWA over SSL. Then you can limit the allow relay to the local subnet only, it will give your users some more functionaility and you already seem to have the hard part set up anyway, (SSL).
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    I've OWA with ssl in this server too. The config i've now is:

    OWA
    IMAP
    POP3
    SMTP

    all with SSL and authentication.

    I changed SMTP to anonymous because we are going to move the MX to this server....

    I don't think that the bad thing was enable anonymous acces (that was enabled without relay), i think that the bad idea was enable basic auth without SSL... Next week i will test anon an auth w SSL only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •