SMTP Hole / Open relay?
Hi there,
this is a pretty serious issue for us. There's a customer with around 21.000 e-mails in the queue, all spam, none of which seem to be coming from a host that is allowed to relay.
About 2 weeks ago we had a similar issue (other customer). By the time I saw it my collegues had already been changing settings and I blamed not finding the issue to them already flipping switches like relay. However, everybody here knows not to touch the
settings unless they understand them (it concerns SBS 2003, which by default closes relay).
Now we have a new case thus. Been going through the exchange log, below there's a sample. As far as I can tell from the (huge) log, it seems to come in through SMTP, without authentication, from an external IP. I checked the relay settings, they're closed.
Inbound NAT for port 25 is off (source NAT, destination NAT (port forwarding) must be active otherwise the port forward doesn't work :), I've seen that as an issue before when a collegue had switched the NAT check on in the firewall, but it should have logged
the routers internal IP then ...).
Anyways, quite afraid there's a hole in the SMTP. On the previous customer we saw 2-3 lines from one IP (like some sort of test), about 2 hours later many IP's (probably botnet) started spamming it like crazy.
Here's the piece of log:
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1019
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1025
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1024
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1033
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1034
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 miho569@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 view5200@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com - FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw 1020
2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version: 6.0.3790.4675
- - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 yeh51688585@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 miho569@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 candy740706@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 q5557777@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 winer12342001@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 boyking12000@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 ping760811@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 view5200@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 tonyj0958@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
2010-7-23 13:53:56 GMT 217.125.12.27 hudstrc.com <reverse DNS smarthost> FS-2003-01 192.168.121.1 jeyann920@yahoo.com.tw
1031 2f96c2645c7f4b5cb722f6f6ce600525@1a7be47f01624c24b7d18846050b8c35 3 0 2980 10 2010-7-23 13:53:54 GMT 0 Version:
6.0.3790.4675 - - ywpdu@yahoo.com.tw -
July 26th, 2010 5:06pm
Btw, I tried several online relay tests against the server. All fail. Should have mentioned this in the main post.
The router is a Fortigate 80C, the server also runs Trend Micro Worry-Free 6.0 with the messaging agent.
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 5:09pm
this is a pretty serious issue for us. There's a customer with around
21.000 e-mails in the queue, all spam, none of which seem to be coming
from a host that is allowed to relay.
Does the box host some "web" service/site ? See, it may be possible
that the emails you see are coming from some webpage or forum or the
like; also notice that if the SMTP is using the "pickup" folder,
something
may be dropping messages in there and the SMTP will dutifully pick
them up and route to destination (or at least, try to); also, it may be
due
to some badly configured blog/wiki sending comment replies through
an AUTH connection to your server or, it may be due to stolen email
credentials; you aren't giving enough details to be able to track your
issue (and no, the logs didn't really help so much)
I'd start by forcing a password change for your clients and ensuring the
passwords aren't weak (enforce complexity rules) or empty, done that,
ensure that there aren't IP based exceptions and that any host willing
to relay through your server will have to authenticate first
Then, to ensure you don't have some "clandestine" you may also try
setting up a box connecting it to your network so that it will see ALL
the traffic (a "mirror port" on the main switch may help) and install
this critter http://www.bothunter.net/ on it; let it run for a while and
then
check the reports to see if there's any "strange traffic" taking place
on your network
HTH
July 26th, 2010 5:32pm
Hello,
Looking at the logs it seems like they are from yahoo.com; rather pretending like comming from yahoo. who is 192.168.121.1? is this your firewal?
I would like you to check the following information
How can I configure Exchange Server 2003 to block spam?
http://www.petri.co.il/block_spam_with_exchange_2003.htm
How to prevent unsolicited commercial e-mail in Exchange 2003
http://support.microsoft.com/kb/821746
Arun Kumar | MCSE - 2K3 + Messaging | ITIL-F V3
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 6:29pm
There is nothing running besides the default SBS websites. Of which only OWA is allowed (inc. mobile sync etc) by the SBS wizard (which then sets rules on the sites in IIS).
If they came from the pickup folder, would it log IP's? Seeing the event id's it logs, it really seems to come in through SMTP, but I've never been a big fan of the way exchange logs... For example, the above lines repeat 10 times for every event, due to
it being 10 recipients in 1 e-mail. It is just one e-mail however.
If it was IIS pushing the e-mail into the queue I would expect to see a localhost host or the internal IP of the server. Is this incorrect?
1019
SMTP submit message to AQ
A new message is submitted to Advanced Queuing.
1025
SMTP begin submit message
A new message was submitted to Advanced Queuing.
1024
SMTP submit message to cat
Advanced Queuing submitted a message to the categorizer.
1033
SMTP message categorized and queued for routing
1034
SMTP message routed and queued for remote delivery
1020
SMTP begin outbound transfer
A message is about to be sent over the wire by SMTP.
1031
SMTP end outbound transfer
The outgoing message was successfully transferred.
Q1: When a message is generated in the system for the first time, what event is associated with that message in the tracking log?
A1: There are different events for different message submission paths to Exchange Server 2003. For example, for messages that are submitted through the SMTP component, the first event ID in the tracking log is 1019. For messages that are
submitted through the Store component, the first event ID in the tracking log is 1027.
From: http://support.microsoft.com/kb/821905
Thanks for the re'.
July 26th, 2010 6:32pm
event id's it logs, it really seems to come in through SMTP, but I've
never been a big fan of the way exchange logs... For example, the
[...]
tracking log is 1019. For messages that are submitted through the
Store component, the first event ID in the tracking log is 1027.
[...]
try using this tool
http://www.lizard-labs.net/PageHtml.aspx?lng=2&PageId=18&PageListItemId=17
to parse the SMTP logs to try finding out WHERE those emails
do really come from; at any rate, if there's no website running on
the box (with some mailform or the like) then it may either be an
issue related to stolen credentials or to an infected box spitting
out spam through an authenticated connection or through an
IP allowed to relay
Free Windows Admin Tool Kit Click here and download it now
July 26th, 2010 6:53pm
On Mon, 26 Jul 2010 14:06:24 +0000, FreakyNL wrote:
>
>
>Hi there,
>
>this is a pretty serious issue for us. There's a customer with around 21.000 e-mails in the queue, all spam, none of which seem to be coming from a host that is allowed to relay.
>
>About 2 weeks ago we had a similar issue (other customer). By the time I saw it my collegues had already been changing settings and I blamed not finding the issue to them already flipping switches like relay. However, everybody here knows not to touch
the settings unless they understand them (it concerns SBS 2003, which by default closes relay).
>
>Now we have a new case thus. Been going through the exchange log, below there's a sample. As far as I can tell from the (huge) log, it seems to come in through SMTP, without authentication, from an external IP. I checked the relay settings, they're closed.
Inbound NAT for port 25 is off (source NAT, destination NAT (port forwarding) must be active otherwise the port forward doesn't work :), I've seen that as an issue before when a collegue had switched the NAT check on in the firewall, but it should have logged
the routers internal IP then ...).
>
>Anyways, quite afraid there's a hole in the SMTP. On the previous customer we saw 2-3 lines from one IP (like some sort of test), about 2 hours later many IP's (probably botnet) started spamming it like crazy.
>
>Here's the piece of log:
I think you're looking at the wrong log file. You want to use the SMTP
protocol log (as poor as they are in Exchange 2003). In those log
files you see the SMTP conversation (all of it) that will be a big
help in undertanding what's happening.
There's no "hole in the SMTP". There may be a hole in the way you've
secured it, though.
If you allow authenticated connections to relay, turn it off. If you
allow IP addresses to relay, turn it off. Is the "Guest" account
enabled, disable it. On the "Access" tab of the SMTP Cirtual Server,
is anything except "Anonymous access" checked on the "Authentication"
button? Turn off everything except "Anonymous access". Does the
problem go away?
http://technet.microsoft.com/en-us/magazine/2006.01.stopspam.aspx
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
July 27th, 2010 3:02am