Actually at first Arin.net showed that it was registered in Uruguay, but then LACNIC.net showed that it was in Brazil.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fyodorov, Andrey FTL Sent: Tuesday, April 20, 2004 4:08 PM To: Exchange Discussions Subject: RE: Exchange server used to relay spam Most likely someone from Urugway cracked one of your users' passwords and is now exploiting your server. Consider changing everyone's password. Start with most obvious ones, like WebMaster, Administrator, Admin - do you have any of those? What about Guest? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of April Fleming Sent: Tuesday, April 20, 2004 3:56 PM To: Exchange Discussions Subject: RE: Exchange server used to relay spam I'm still new at all of this, but if the ip 200.185.86.250 is not in your domain, but it was received by your server, and is going out to a different domain, doesn't that mean that your server is in fact relaying? April Fleming Information Services Dixon Ticonderoga Company 407-829-9000 ext. 153 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henry, Christopher M. Sent: Monday, April 19, 2004 11:38 AM To: Exchange Discussions Subject: RE: Exchange server used to relay spam The only server that I control is exchange.rcoa.com and I have 35,000 of these messages in my outbound queue -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Scharff Sent: Monday, April 19, 2004 11:30 AM To: Exchange Discussions Subject: RE: Exchange server used to relay spam Do you control 200.185.86.250? Cause that's where the message originated. The To line is likely forged, the actual recipient was a bcc on the message. What about this message leads you to believe your server is behaving incorrectly? -----Original Message----- From: Henry, Christopher M. [mailto:[EMAIL PROTECTED] Posted At: Monday, April 19, 2004 10:07 AM Posted To: swynk Conversation: Exchange server used to relay spam Subject: RE: Exchange server used to relay spam That is what one of header look like: Received: from antoinette ([200.185.86.250]) by exchange.rcoa.com with Microsoft SMTPSVC(5.0.2195.6713); Sun, 18 Apr 2004 16:59:12 -0400 From: "Jocelyn Dolan-Tarver"<[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: CIA_L1S & LEV_ITRA is taken about half an hOur before any s~exua1l activity begins ! Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Return-Path: [EMAIL PROTECTED] Message-ID: <[EMAIL PROTECTED]> X-OriginalArrivalTime: 18 Apr 2004 20:59:13.0906 (UTC) FILETIME=[01322520:01C42588] Date: 18 Apr 2004 16:59:13 -0400 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Ellis @ Hook Sent: Monday, April 19, 2004 10:11 AM To: Exchange Discussions Subject: RE: Exchange server used to relay spam Where are they connecting to? Various places, one would assume. Virus on the exchange server? Virus on a client? Regards, Rob Ellis User Support Manager ntl Group IT Ext: (711) 4245 DDI: 01256 754245 Mob: 07974 403273 email: [EMAIL PROTECTED] -----Original Message----- From: Henry, Christopher M. [mailto:[EMAIL PROTECTED] Sent: 19 April 2004 15:04 To: Exchange Discussions Subject: RE: Exchange server used to relay spam I have verified that it is not an open relay. My log files are averaging between 2-300 megs daily. And I am pretty sure it is spam based on the subjects in the logs. I have excessive amounts of outbound smtp connections from my exchange server (when the office is empty). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Hlabse Sent: Monday, April 19, 2004 9:52 AM To: Exchange Discussions Subject: RE: Exchange server used to relay spam Have used any utilities to verify that you are not an open rely. Such as http://www.ordb.org/submit/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Henry, Christopher M. Sent: Monday, April 19, 2004 9:42 AM To: Exchange Discussions Subject: Exchange server used to relay spam Once again I am completely screwed. My exchange server is being used to relay spam, However it is not an open relay. My guess is that there is some Trojan loaded on there somewhere. Does anyone have any ideas on where I might start to even attempt to figure out what is going on? Chris _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. The contents of this email and any attachments are sent for the personal attention of the addressee(s) only and may be confidential. If you are not the intended addressee, any use, disclosure or copying of this email and any attachments is unauthorised - please notify the sender by return and delete the message. Any representations or commitments expressed in this email are subject to contract. ntl Group Limited _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
