Re: SPAMBOT Symptoms?

Hello,

There is a tool called Malware Bytes that I would run on that machine
for the specific user. I would also run process explorer (sys internals)
and cports (nirsoft) to look at what is running. I think from this that
you might have an internal malware causign this.

Thanks

Bilbo fakerubbish.domain.org> wrote:

Hi,

The relay test was good until Test 6; server seemed to accept that but
the relay has not apparently happened. FWIW, I used Microsoft's test
for open relay and it passed. I also ran mxtoolbox.org diagnostics
and that pronounces that server is not an open relay. ( I'd not seen
the abuse.net/relay.html test before.)

I'm not running ISA. I never really felt competent to install and
configure it and didn't want to so afflict a customer.

The server does all routing for the workstations. They don't have a
direct path to the internet. I don't know how to lock port 25 from
the workstations in Exchange. Is there a doc I can read on the
subject?

There are ActiveSync users on this domain with WinMob5/6 devices.
Does that raise any red flags for you? (I just thought of this)

The sender of messages in almost every SMTP queue entry was a single
user who uses only her PC. Nearly all those entries are in RETRY
status. Of roughly 85 queue entries, I'd say 82-83 are in RETRY
status. It's really tedious examining the messages but it looks as if
most of them have really large distribution lists. (>100) I suppose
that may itself be a cause for a server to reject a SMTP connection
but I truly don't know.

I sent a remote order to Trend to launch antivirus/spyware scans on
all machines including the server. So far, the only reports are for
cookies. It's still in progress though. I'll get hands on her
machine tomorrow and see if there's a rootkit at work.

Thanks for the ideas.

-Bilbo

On Thu, 23 Oct 2008 13:52:45 +1000, "Michael Jenkin [SBS-MVP]"
<michael.jenkin@xxxxxxxx> wrote:

Hello,

You need to confirm this is internal or external and also how your
protection is working at present.

I would run a relay test against your server www.abuse.net/relay.html
I would also start Exchange logging on the SMTP and see if the email is
coming from internal or if it is bounce backs generated form your
server, to emails that originally originated externally.

If you suspect it is internal, if you are using ISA, you can track port
25 or deny port 25 from internal workstations. You can also lock
Exchange to not accept smtp from workstations.

As you have a two nic server, i deduce the workstations do not have a
direct route to the internet and must go through the SBS box.

If you still can't find anything internally you can use a packet
sniffing tool like wireshark to see where the SMTP connections are
comming from or from a command prompt on the server, monitor smtp
traffix using "netstat -an" and looking for port 25 traffic.

You can also use nirsoft's cports to check port 25 port activity on
various workstations. It is unlikely they will have anything as they are
more likely connecting via random ports to port 25 on your server but a
lot of the bots are also email servers.

Good luck




Bilbo fakerubbish.domain.org> wrote:

A 2-NIC SBS2003 (SP2), (3GB), has over 80 SMTP Queue entries and
I'm getting email alerts from SBS/Exchange.

Most of these entries seem to be from the same sender.

One queued message in one Queue had a TO:/CC: list of 174 entries --
seems extremely improbable.

I found 3 SMTP Virtual Server Sessions that were Swedish (.SE)
domains. Again, extremely improbable for this company unless this is
where the SPAM senders appear.

This server has been getting hit by significant amounts (~31%) of SPAM
on a daily basis.

This seems to me like a case of a client workstation with a SPAMBOT
running but I'm no expert. Does anyone see it differently?

We're having foul weather here in Houston so I won't be able to be on
site for another 12 hours or so.

The LAN is protected (if that's the word) by Trend Micro CSM 3.6 and I
was planning to evaluate their new product before upgrading this
server and its clients.

Advice gratefully accepted,

-Bilbo




--
Michael J. Jenkin MVP - SBS, MCP, Small Business Specialist, Senior
Systems Engineer
Visit http://www.mickyj.com
.

Relevant Pages

  • RE: Pop3 connector, DNS and mail receive problem...
    ... Server", in the previous post, we stop it for troubleshoot the POP3 ... If you need to forward internet email to your ISP ... To verify that you are successfully connected to the SMTP Mail Service, ... 265293 How to Configure the SMTP Connector in Exchange ...
    (microsoft.public.windows.server.sbs)
  • Re: blocking telnet port 25 ?
    ... > SMTP is used for incoming and outgoing mail. ... > with DELIVERY of mail to a server. ... >>So I thought that I could block port 25 packets coming ... >>> need to have port 25 open to the internet so this is ...
    (microsoft.public.win2000.security)
  • RE: smarthosts and fwding outgoing mail to isp mail server
    ... Please double check if the OWA can send mail to internet. ... 821910 How to troubleshoot for Exchange Server 2003 transport issues ... You may mail the SMTP log and tracking log to my mail address: ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Exchange issues
    ... IP address that the MX record points, port forwarding is configured to route ... all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... All the Exchange services are running and all looks fine. ...
    (microsoft.public.exchange2000.admin)
  • Re: Mail sent through IIS virtual SMTP server not arriving
    ... Juan T. Llibre, asp.net MVP ... In the Default SMTP Virtual Server's properties, in the "Access" tab, both ... a real sender address on the SMTP virtual server? ... Youi'll find sample code for changing the port number under system.web.amil here: ...
    (microsoft.public.dotnet.framework.aspnet)