Outsiders Using SMTP to send SPAM.

[webmastadj84]

I have a problem. I have a windows 2003 server running exchange server 2003. Users are connecting via IMAP4 and are using it for SMTP. Some how, people are using the SMTP server to send spam. It is not our local users. I have password protected the SMTP where only authicated users can access it but some how spam is still going out. If someone could point me in the right direction on how to stop people from useing my server to send out spam that would be great. Thanks.

 

[markdmac]

You most likely have a client inside your network that is infected with spyware/malware.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[Spirit]

You might be getting used as a relay, I find this website a fountain of info:

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

How do you know you're sending out spam? Are external users complaining?

Iain

 

[ilceres]

It sound like your server is used as open relay, as Spirit said.

I had the same problem some time ago: the problem was the relay restrictions and firewall rules: check relay restriction on SMTP Properties (follow Spirit's link)- if you permit relay at all your LAN subnet, be sure that the NAT rule on port 25 of your firewall let the original IP as source connection request.

After this, if you still have problem maybe you a have one or more client infected with some spyware/worm/malware, as markdmac said. Check it out.

Italian are WORLD CHAMPION

 

[webmastadj84]

ok, makes since. I don't think there is anyone internaly. The server is being used as a web server, so the only people connecting to it are from remote companies. I reconfigered the SMTP server to accept "only the list below" and then checked "Allow all computer that authicate to relay." I am testing it now and seeing if the emails go through.

 

[webmastadj84]

btw....I don't have a firewall as of yet, all I have is a basic linksys router.

 

[ilceres]

You can also check SMTP log file for be sure that is not a internal IP that does those SPAM.

I prefer to not check "Allow all computer that authicate to relay." but restrict permission to IP address, but it's a personal preference

If I'm not going wrong linksys router has basic firewall function likes SPI and DOS... for sure has NAT function.

Mauro

Italian are WORLD CHAMPION

 

[webmastadj84]

I am already using PAT on the router to have port 25 open. But, the problem is, there are no internal users, like I said before. All the users are remote and I don't know their IP addresses.

Update:
I was succesful sending an email from the server to my email at aol with the current configuration (the updated relay settings) but have yet to recieve a email that was sent from my aol account to the other email account.

 

[ilceres]

In the SMTP connection log you can see IP source connection request

Italian are WORLD CHAMPION

 

[webmastadj84]

Ok, new update.....I found the ip address that are using the server. They look to be 60.180.*.* ip addresses. How can I block all those IP addresses that start with 60.180 from using any email services what so ever! I am looking in the current connections under the SMTP service.

 

[webmastadj84]

I have found that the IP address range belongs to ASIA (Chine, Japan, etc.). [60.0.0.0 - 60.255.255.255]. I need to find something, either at the WAN connection (or in the router) or in Windows 2003 that will block the IP address range of [60.180.255.255 - 60.180.255.255] on all inbound connections. Please help with this, thanks.

 

[markdmac]

Do you have a firewall?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[webmastadj84]

no, and I thought windows 2003 came with one but can't find it.

 

[markdmac]

I don't know how big your network is but you should consider getting yourself some kind of a hardware firewall.

A Cisco Pix would be an inexpensive solution or for bargain basement a LinkSys solution.

Windows Server does ship with one. You will find an icon for it in control panel, however it is not going to be a very useful solution to your problem. You need to lock down your network.

You should only allow the following ports

123 (for WIndows time service)
80 for HTTP and OWA
443 for HTTPS and OWA
25 for SMTP email

Additionally if you do RDP from the outside you can enable 3389, however you shoud consider using the web interface instead to keep that port locked down too.

Finally you will want to block all access from the IP range you are seeing. Your ISP may be able to help you in this regard too if you talk to them. What kind of Internet connection do you have?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[webmastadj84]

The server is already behind a basic linksys router (does not let me block incoming ip ranges). We are currently using DSL from Sprint/Embark. Those are the only ports on the router that are forwarding to the server. I do have two static IPs and two servers. Here is the set-up:

Modem->Switch->LinksysRouter->Main Server (Server 2003 Small Business)
->(rest of computers on network)
->Server (Server 2003 Web)

The server that is running exchange, DNS, and IIS is the one behind the router. I looked at the Cisco Pix 501 but it still is a little pricey for us at this time. If I do replace the switch with a firewall will I need any aditional IP addresses? I did take your advice and I am looking at the RV082 from linksys. It seems it would do the job.