UCE spam on mail server

[frasersales-ltd]

I received a email from my ISP saying the below. The server has Windows Server 2008 installed. An anti-virus program runs once per day on the server. I'm the only one who has access to the computer.

"We have received reports of excessive UCE (Spam) originating from your IP address. The content of the complaint contains the information about sending off the emails of threatening and offensive character to the third party representatives."


Checked the time and date the spam was send on mailenable SMPT log and found the below details. There's only 3 listed below but there is a lot more of them. I'm not sure this will solve the issue. Would banning the email RealEstate[AT]Remax.com work?

Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [D8FD63F22A254F7089ACE33CE1A6E84D.MAI] to the target domain [mrrubbishman.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [9D45BDD90CEF4709A5C28B43B415E5F4.MAI] to the target domain [thyssenkruppelevator.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [14FF5DC10A0544159B2861F1F0F762D5.MAI] to the target domain [thrivent.com]


Any help is appreciated

[MailEnable-Ian]

Hi,

You will need to determine if your server is:

1. Open relay where spammers can relay spam through you server. Please review the following:
http://www.mailenable.com/kb/viewarticl ... 020339.htm

2. If the spammer has guessed one of your mailbox passwords and is successfully being granted relay rights through successful authentication:
http://www.mailenable.com/kb/Content/Ar ... D=me020280

Is the RealEstate@Remax.com a valid mailbox/address on your server?

[frasersales-ltd]

Tested using a Open Relay Test and the results were "No relays accepted by remote host" and "This mail server requires authentication when attempting to send to a non-local e-mail address. Please check your mail client settings or contact your adminator to verify that the domain or address is defined for this server."

RealEstate@Remax.com is not a email on the server.

[frasersales-ltd]

I've noticed the SMTP logs are a 1000 times bigger than they were last week. Is there a way to disable the SMTP service without affecting the POP3 accounts?

[MailEnable-Ian]

Hi,

Open up the the SMTP activity log file in respect to the SMTP debug log snippets you provided earlier. I.e:

Code: Select all

Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [D8FD63F22A254F7089ACE33CE1A6E84D.MAI] to the target domain [mrrubbishman.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [9D45BDD90CEF4709A5C28B43B415E5F4.MAI] to the target domain [thyssenkruppelevator.com]
Outbound message from ([SMTP:RealEstate[AT]Remax.com]) requeued as [14FF5DC10A0544159B2861F1F0F762D5.MAI] to the target domain [thrivent.com]

Search within the activity log file for the same message ID's within the activity log file. Once you have located the message ID locate the following lines:

Code: Select all

Example:

07/26/11 11:31:26	SMTP-IN	E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI	1504	192.168.2.48	EHLO	EHLO	250-mailenable.com.au [192.168.2.48], this server offers 5 extensions	148	6		
07/26/11 11:31:26	SMTP-IN	E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI	1504	192.168.2.48	AUTH	AUTH LOGIN	334 VXNlcm5hbWU6	18	12		
07/26/11 11:31:26	SMTP-IN	E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI	1504	192.168.2.48	AUTH	{blank}	334 UGFzc3dvcmQ6	18	26	test@mailenable	
07/26/11 11:31:26	SMTP-IN	E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI	1504	192.168.2.48	AUTH	cGFzcw==	235 Authenticated	19	10	test@mailenable	
07/26/11 11:31:26	SMTP-IN	E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI	1504	192.168.2.48	MAIL	MAIL FROM:<test2@mailenable.com.au>	250 Requested mail action okay, completed	43	37	test2@mailenable	
07/26/11 11:31:26	SMTP-IN	E8DE0ADE4B7D4D43B3B7C14C41ABE6C4.MAI	1504	192.168.2.48	RCPT	RCPT TO:<test2@mailenable.com.au>	250 Requested mail action okay, completed	43	35	test2@mailenable

The above example is just to get an idea of what you are looking for. You can see that the AUTH command was issued and indicates which mailbox was used to authenticate "test@mailenable". You need to locate and determine which mailbox is being used to authenticate and relay the messages. Once you have determined which mailbox the spammer is using to authenticate change the password for the mailbox to something that is more complex.

Also another SMTP security option that you should enable is located under the SMTP "Security" properties page named "authenticated senders must use a valid email address". This will stop spammers that have guessed a mailbox password from being able to relay messages from addresses that do not exist on your server.

[frasersales-ltd]

The problem has been resolved. There was a firewall issue. How can I tell how many emails had been sent on the activity log file?