I received a email from my ISP saying the below. The server has Windows Server 2008 installed. An anti-virus program runs once per day on the server. I'm the only one who has access to the computer.
"We have received reports of excessive UCE (Spam) originating from your IP address. The content of the complaint contains the information about sending off the emails of threatening and offensive character to the third party representatives."
Checked the time and date the spam was send on mailenable SMPT log and found the below details. There's only 3 listed below but there is a lot more of them. I'm not sure this will solve the issue. Would banning the email RealEstate[AT]Remax.com work?
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [D8FD63F22A254F7089ACE33CE1A6E84D.MAI] to the target domain [mrrubbishman.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [9D45BDD90CEF4709A5C28B43B415E5F4.MAI] to the target domain [thyssenkruppelevator.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [14FF5DC10A0544159B2861F1F0F762D5.MAI] to the target domain [thrivent.com]
Any help is appreciated
UCE spam on mail server
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: UCE spam on mail server
Hi,
You will need to determine if your server is:
1. Open relay where spammers can relay spam through you server. Please review the following:
http://www.mailenable.com/kb/viewarticl ... 020339.htm
2. If the spammer has guessed one of your mailbox passwords and is successfully being granted relay rights through successful authentication:
http://www.mailenable.com/kb/Content/Ar ... D=me020280
Is the RealEstate@Remax.com a valid mailbox/address on your server?
You will need to determine if your server is:
1. Open relay where spammers can relay spam through you server. Please review the following:
http://www.mailenable.com/kb/viewarticl ... 020339.htm
2. If the spammer has guessed one of your mailbox passwords and is successfully being granted relay rights through successful authentication:
http://www.mailenable.com/kb/Content/Ar ... D=me020280
Is the RealEstate@Remax.com a valid mailbox/address on your server?
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Re: UCE spam on mail server
Tested using a Open Relay Test and the results were "No relays accepted by remote host" and "This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your adminator to verify that the domain or address is defined for this server."
RealEstate@Remax.com is not a email on the server.
RealEstate@Remax.com is not a email on the server.
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Re: UCE spam on mail server
I've noticed the SMTP logs are a 1000 times bigger than they were last week. Is there a way to disable the SMTP service without affecting the POP3 accounts?
-
- Site Admin
- Posts: 9738
- Joined: Mon Mar 22, 2004 4:44 am
- Location: Melbourne, Victoria, Australia
Re: UCE spam on mail server
Hi,
Open up the the SMTP activity log file in respect to the SMTP debug log snippets you provided earlier. I.e:
Search within the activity log file for the same message ID's within the activity log file. Once you have located the message ID locate the following lines:
The above example is just to get an idea of what you are looking for. You can see that the AUTH command was issued and indicates which mailbox was used to authenticate "test@mailenable". You need to locate and determine which mailbox is being used to authenticate and relay the messages. Once you have determined which mailbox the spammer is using to authenticate change the password for the mailbox to something that is more complex.
Also another SMTP security option that you should enable is located under the SMTP "Security" properties page named "authenticated senders must use a valid email address". This will stop spammers that have guessed a mailbox password from being able to relay messages from addresses that do not exist on your server.
Open up the the SMTP activity log file in respect to the SMTP debug log snippets you provided earlier. I.e:
Code: Select all
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [D8FD63F22A254F7089ACE33CE1A6E84D.MAI] to the target domain [mrrubbishman.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [9D45BDD90CEF4709A5C28B43B415E5F4.MAI] to the target domain [thyssenkruppelevator.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [14FF5DC10A0544159B2861F1F0F762D5.MAI] to the target domain [thrivent.com]
Code: Select all
Example:
07/26/11 11:31:26 SMTP-IN E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI 1504 192.168.2.48 EHLO EHLO 250-mailenable.com.au [192.168.2.48], this server offers 5 extensions 148 6
07/26/11 11:31:26 SMTP-IN E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI 1504 192.168.2.48 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
07/26/11 11:31:26 SMTP-IN E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI 1504 192.168.2.48 AUTH {blank} 334 UGFzc3dvcmQ6 18 26 test@mailenable
07/26/11 11:31:26 SMTP-IN E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI 1504 192.168.2.48 AUTH cGFzcw== 235 Authenticated 19 10 test@mailenable
07/26/11 11:31:26 SMTP-IN E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI 1504 192.168.2.48 MAIL MAIL FROM:<test2@mailenable.com.au> 250 Requested mail action okay, completed 43 37 test2@mailenable
07/26/11 11:31:26 SMTP-IN E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI 1504 192.168.2.48 RCPT RCPT TO:<test2@mailenable.com.au> 250 Requested mail action okay, completed 43 35 test2@mailenable
Also another SMTP security option that you should enable is located under the SMTP "Security" properties page named "authenticated senders must use a valid email address". This will stop spammers that have guessed a mailbox password from being able to relay messages from addresses that do not exist on your server.
Regards,
Ian Margarone
MailEnable Support
Ian Margarone
MailEnable Support
-
- Posts: 25
- Joined: Fri Jul 08, 2011 5:48 pm
Re: UCE spam on mail server
The problem has been resolved. There was a firewall issue. How can I tell how many emails had been sent on the activity log file?