Is a highly SPAM reported site GuidoElia HELPPC _____
Da: Chyka, Robert [mailto:bch...@medaille.edu] Inviato: giovedì 9 aprile 2009 15.41 A: MS-Exchange Admin Issues Oggetto: RE: Unreal...Mail Queue is filling up! I am getting a lot of these events in my app log from this ip address: his is an SMTP protocol warning log for virtual server ID 1, connection #18754. The remote host "209.97.234.254", responded to the SMTP command "mail" with "421 4.5.1 sender mx in an unallocated or reserved network ! ". The full command sent was "MAIL FROM:<rolanderic...@fed.gov> ". This may cause the connection to fail. _____ From: Sherry Abercrombie [mailto:saber...@gmail.com] Sent: Thursday, April 09, 2009 9:26 AM To: MS-Exchange Admin Issues Subject: Re: Unreal...Mail Queue is filling up! Oh, another thing, on your firewall, don't allow port 25 access or SMTP, POP3 etc protocols from any addresses except for those that are allowed to send email. On Thu, Apr 9, 2009 at 8:24 AM, Chyka, Robert <bch...@medaille.edu> wrote: About 1000 routed vlan.... _____ From: HELP_PC [mailto:g...@enter.it] Sent: Thursday, April 09, 2009 9:22 AM To: MS-Exchange Admin Issues Subject: R: Unreal...Mail Queue is filling up! How many clients ? GuidoElia HELPPC _____ Da: Chyka, Robert [mailto:bch...@medaille.edu] Inviato: giovedì 9 aprile 2009 15.16 A: MS-Exchange Admin Issues Oggetto: Unreal...Mail Queue is filling up! Hello, I've been working on this issue since 2:00 yesterday. We have some machines on our network that are compromised and sending or trying to send hundreds of thousands of e-mail to domains overseas. I verified that we are not a open relay and that all of our authentication methods are set right. We are running Exchange 2003 Enterprise on a single server. Here is what I did so far: -Disabled port 25 on the firewall for our mail server to start queue cleanup. -Stopped SMTP on the mail server - set up a new connector called SPAM Cleanup and forwarded all mail going thru this SMTP connector to a fake ip address -I bound the sonnector to the SMTP virtual server -restarted SMTP -cleaned the queue (almost 350,000 messages) -turned logging on for smtp at highest level -found a machine that was compromised by looking at the application log of the mail server -turned it off -had to re-enable our mail server for people to work who are coming in -queues refilled back up Is there a easier way to find the compromised hosts on our internal network so I don't have to take e-mail down? I know taking the server down and doing it that way is the right way, but I will get my butt kicked today. We are currently on 3 Blacklists now Any suggestions are greatly appreciated. -BC -- Sherry Abercrombie "Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke Sent from Haslet, TX, United States ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~
