Re: SPAMBOT Symptoms?
- From: "Michael Jenkin [SBS-MVP]" <michael.jenkin@xxxxxxxx>
- Date: Thu, 23 Oct 2008 13:52:45 +1000
Hello,
You need to confirm this is internal or external and also how your
protection is working at present.
I would run a relay test against your server www.abuse.net/relay.html
I would also start Exchange logging on the SMTP and see if the email is
coming from internal or if it is bounce backs generated form your
server, to emails that originally originated externally.
If you suspect it is internal, if you are using ISA, you can track port
25 or deny port 25 from internal workstations. You can also lock
Exchange to not accept smtp from workstations.
As you have a two nic server, i deduce the workstations do not have a
direct route to the internet and must go through the SBS box.
If you still can't find anything internally you can use a packet
sniffing tool like wireshark to see where the SMTP connections are
comming from or from a command prompt on the server, monitor smtp
traffix using "netstat -an" and looking for port 25 traffic.
You can also use nirsoft's cports to check port 25 port activity on
various workstations. It is unlikely they will have anything as they are
more likely connecting via random ports to port 25 on your server but a
lot of the bots are also email servers.
Good luck
Bilbo fakerubbish.domain.org> wrote:
A 2-NIC SBS2003 (SP2), (3GB), has over 80 SMTP Queue entries and
I'm getting email alerts from SBS/Exchange.
Most of these entries seem to be from the same sender.
One queued message in one Queue had a TO:/CC: list of 174 entries --
seems extremely improbable.
I found 3 SMTP Virtual Server Sessions that were Swedish (.SE)
domains. Again, extremely improbable for this company unless this is
where the SPAM senders appear.
This server has been getting hit by significant amounts (~31%) of SPAM
on a daily basis.
This seems to me like a case of a client workstation with a SPAMBOT
running but I'm no expert. Does anyone see it differently?
We're having foul weather here in Houston so I won't be able to be on
site for another 12 hours or so.
The LAN is protected (if that's the word) by Trend Micro CSM 3.6 and I
was planning to evaluate their new product before upgrading this
server and its clients.
Advice gratefully accepted,
-Bilbo
--
Michael J. Jenkin MVP - SBS, MCP, Small Business Specialist, Senior
Systems Engineer
Visit http://www.mickyj.com
.
- Follow-Ups:
- Re: SPAMBOT Symptoms?
- From: Bilbo
- Re: SPAMBOT Symptoms?
- References:
- SPAMBOT Symptoms?
- From: Bilbo
- SPAMBOT Symptoms?
- Prev by Date: Re: Adding an SBS box to our domain
- Next by Date: Re: Document Redirection - Synchronizing all local profiles
- Previous by thread: SPAMBOT Symptoms?
- Next by thread: Re: SPAMBOT Symptoms?
- Index(es):
Relevant Pages
|
