Exchange sending constant partial SMTP traffic 1

[FireMike84]

I am running MS Server 2000 SP4 and MS Exchange server 2000. I have Norton AntiVirus Business Pack v9.0 and Symantac Mail Security for Exchange. I recently noticed that our Zykzel DSL router, that is only used by our Exchange server and two other workstations in my office, was getting pounded with traffic to were I couldn't even get to the internet from the other 2 workstations. I have had a few users complain that their email is taking a long to time to get to is destination and a long time to receive email, I am assuming this is do to the same problem with the DSL router being pounded with traffic. I placed a sniffer on the same switch as the DSL router and found that alot of the traffic was comming from the Exchange server. I placed the sniffer on the same switch as the Exchange server and monitored all traffic comming in and leaving the Exchange server. What I found was a lot of SMTP traffic leaving the mail server and going to different public addresses depending upon the day, it is never the same between 2 seperate days. This traffic is also incomplete SMTP traffic. I believe I have some sort of virus but all my virus scan and everything is up to date but I still having this problem. Any suggestions about this problem would be greatly appriciated, and if this kind of traffic is normal please let me know so I know to head in a different direction with this problem. Thanks

-Mike

 

[member 141630]

What happens if you disable Exchange so SMTP is inactive?

A virus infected machine is more than capable of sending SMTP traffic (and doesn't need an exchange server to run).

Have you checked this problem with the two workstations disconnected?

When you stated that you noticed that SMTP was going to two different public IP addresses, what happens if you do a reverse lookup on them? Do they resolve to your ISPs relay mail servers? If YES, then it is possible that Exchange is configured to use these as smarthosts.

Rgds

Phil B

 

[FireMike84]

F1lby,

Have run IRIS trace while smtp was turned off and I got constant traffic on the exchange server. It was not nearly as much as there wa before I stop the SMTP service. But with the SMTP service turned off I got traffic that seemed to be a legitimate exchange between exchange and some other servers. While the SMTP is turned on I am getting constant traffic out of my exchange server with no evidence of a reply back from the servers I appear to be sending too. The 2 workstations don't seem to make a difference whether they are on or off. I did a reverse lookup on a couple addresses and they almost always seem to go to a remote mail server somewhere else that in my opinion looks suspicious (mail1.saveinternet.com). I have noticed that most of these addresses goes through the same server or router of a company before they reach their destination, I have had the same company web address pop up multiple times when I trace a couple of these public addresses back using trace route. The other really weird item is the other day I was actually catching traffic from my exchange server that was trying to communicates with a 10.4.20.131 address which is a private address so obviously it can't communicate with it.

I just updated the virus scan and I am continually finding it picking up NetSky and Erkez.B within the Symantec\SMSMSE\temp folder. I am running a full virus scan as I type this excluding the folders and drives that are not suppose to be included in virus scan on exchange. So far it has found nothing but from the looks it still have about 30 minutes to go.

Any more suggestions would be great.

Thanks,

-Mike

 

[member 141630]

Hi FireMike84.

It is possible that your mail server is infected with a bot / spyware / malware.

Download a free copy of LavaSoft AdAware from

http://www.lavasoft.de

It would be worth running this as this product often finds rogue malware that can be reporting usage and other information etc to outside servers.

saveinternet.com are known spammers according to my lists.
To prevent any further contact with your them from your mailserver I would add the following to your hosts file

127.0.0.1 mail1.saveinternet.com
127.0.0.1 mail2.saveinternet.com
127.0.0.1 mail3.saveinternet.com
127.0.0.1 mail4.saveinternet.com
127.0.0.1 saveinternet.com

In fact they have a wildcard cname that cnames ANYTHING.saveinternet.com to saveinternet.com - very devious.

Or you could open DNS manager and create a new zone for saveinteternet.com - that would prevent anything for that domain being resolved.

Regards

Phil Blythe





You may require your DNS cache to be flushed ( IPCONFIG /FLUSHDNS ) afterwards and SMTP to be restarted too.

This will ensure that all future communications with this host will not be possible.

 

[FireMike84]

F1lby,

I have run Adaware with the most update definitions. All it found were 130 some (adaware has never been run on this server before) tracking cookies, and 1 reg entry with the name "Alxeia" I think my spelling is off but I always find that entry when running Adaware. I also tried entering the entries in the host file like you suggested but I am still seeing traffic to that IP in the sniffer traces. I thought I saw the light this morning when I tried running the sniffer trace because as soon as I started it it was fairly slow, but after letting it run for only a few seconds it picked up in speed. I have also recently seen constant LDAP traffic between my exchange server and another server on my network. I don't know if this really has anything to do with one another. I am going to try and take that server down one night and see if that makes a difference, and see if the fact that it is night and no one else will be on the system like they are during the day and see if that makes any difference.

Thanks,

-Mike

 

[dennisbbb]

They are reverse NDR emails going back to those spammer domains. When spammer send to a bogus name on your server, they are being reverse ndr because those bogus names don't exist. Try to patch your server where it will not send NDR to external senders, but yet still send ndr report to your users.

Good luck.

 

[FireMike84]

I don't believe it is reverse NDR emails because I would assume that I would be seeing just as much traffic coming in and going out if this was the case. But I seeing 75% of my traffic leaving the server. But I will check just to make sure that we will not send NDR to external senders.

 

[FireMike84]

dennisdbbb,

I stand corrected.

After doing a little research on the NDR attack you spoke about and the symptoms were the exact same thing. I disabled it and problem solved.
Thanks a Millon for both of your help.

-Mike