ISP Spam Complaints

Discussion regarding the Standard version.
Post Reply
antioch
Posts: 29
Joined: Tue Mar 29, 2005 5:13 pm

ISP Spam Complaints

Post by antioch »

me v1.986 std
win2k3 std sp 2

my host's isp is complaining that their spam traps are picking up mail from my server.

it is configured for relaying only by authenticated users and two specific ips (localhost and a remote machine). ive removed the ip's from the list one at a time and still the spam allegedly continues. so does this mean that one of the accounts on my server has been compromised?

dreniarb
Posts: 319
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

Post by dreniarb »

Could be a virus anywhere on your network. Doesn't mean it's necessarily your mail server.

Two things I'd do:

1. Check your smtp-activity logs and see if there's any irregular acitivty. Perhaps one of your legitimate users has a virus on their pc and it's using their credentials to authenticate against your server.

2. Block outgoing port 25 at your router to all pc's except your mail server. Not all routers can do this. This will stop any virus's on a pc on your network from sending out spam directly from the infected pc.

Most likely though, i'll bet you'll find something in your log files showing the spam going out.

Had this happen to me once. got a call from our isp about the spam coming from us, i checked the logs and saw which user was sending it out, but it wasn't coming from their usual ip address. checked their settings, and they had changed their password to "password". going back through the logs i was able to track it back a few days and saw where the spammer guessed the password in 2 tries, and thereby was able to relay through me.

needless to saw i've increased the complexity of passwords on my server.

antioch
Posts: 29
Joined: Tue Mar 29, 2005 5:13 pm

Post by antioch »

my mail server just changed ip's. afterwards, i noticed my smtp log files are approximately half the size they were before the switch.

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne

Post by MailEnable-Ben »

Check the large log files before the change and see who what was spamming through your server. It usually stands out as the same IP is sending or the same email addresses are being used continuously. This way you can act on the spammer.

If you changed the local IP of the server then it would mean that you had allowed relay for an IP in the SMTP relay options and a virus or Trojan was using this to spam.

If you changed an external IP address then this may only mean that you are receiving less spam connections to the server.
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

antioch
Posts: 29
Joined: Tue Mar 29, 2005 5:13 pm

Post by antioch »

MailEnable-Ben wrote:Check the large log files before the change and see who what was spamming through your server. It usually stands out as the same IP is sending or the same email addresses are being used continuously.
ahh, this is the info i need. ive looked thru the log files before but had no idea what to look for until now.

and it was the external ip that changed.

MailEnable-Ben
Posts: 5858
Joined: Fri Jan 16, 2004 6:49 am
Location: Melbourne

Post by MailEnable-Ben »

The best logs to start with are the activity logs. It is a good idea to look for only SMTP-OU lines as this relates to message transactions that are outbound on the server. Once you find the culprit then you look for how the inbound SMTP-IN connection(s) occurred this is where, especially in the case of a relay that the debug log helps.
Regards,

Product Services
MailEnable Pty Ltd

To keep track of all ME company updates and version releases you should subscribe to the MailEnable list at http://www.mailenable.com or the RSS feed http://www.mailenable.com/rss.

antioch
Posts: 29
Joined: Tue Mar 29, 2005 5:13 pm

Post by antioch »

ive found something suspicious. the activity log is stuffed with occurrences originating from the university of cincinnati (129.137.0.0). theyre not all from the exact same ip, just several from the aforementioned network.
MailEnable-Ben wrote:Once you find the culprit then you look for how the inbound SMTP-IN connection(s) occurred this is where, especially in the case of a relay that the debug log helps.
ok, but how do i connect the dots? btw, feel free to send me to any applicable kb articles. im not afraid to read. :)

dreniarb
Posts: 319
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

Post by dreniarb »

Are the emails going to domains that you host? If so, then this probably isn't the problem. your mail server wouldn't then be relaying them out. and your isp probably isn't going to complain about spam coming IN to you, that's not your fault and there's not much you can do about it.

If they're not going to domains you host, is your server accepting the message?

If it is accepting the message even though you don't host the domains, perhaps you don't have your relay settings set correctly.

If your relay settings are set correctly, take a look at the end of each line in the log file, it should display the email address of the account used to authenticate against your server. that will tell you which account you probably need to change the password on. probably not complex enough and was easily guessed.

if you go back in your logs, you can probably see when it first tried to guess some passwords and got them wrong quite a bit, but then finally got one right.

antioch
Posts: 29
Joined: Tue Mar 29, 2005 5:13 pm

Post by antioch »

dreniarb wrote:Are the emails going to domains that you host? If so, then this probably isn't the problem. your mail server wouldn't then be relaying them out. and your isp probably isn't going to complain about spam coming IN to you, that's not your fault and there's not much you can do about it.
i dont know. despite several complaints from my host's isp, i have yet to see one of the messages in question. the most concrete indication i have of there being a problem is the halving of my smtp activity log files after the ip switch.
dreniarb wrote:If your relay settings are set correctly...

they are - no open relay. diagnostics confirm.
dreniarb wrote:...take a look at the end of each line in the log file, it should display the email address of the account used to authenticate against your server.
which log file? activity?

Post Reply