Re: [IMail Forum] Unauthorized SMTP

[R. Scott Perry]

My server seems to have been hacked into... I have relaying set up only 
for my Network addresses, but my processor is pegging out.
What process(es) are using the CPU (click on the "CPU" button in the Task 
Manager "Processes" tab to find out)?

There are smtp services running that I can't trace down, coming from 
multiple internal IPs.
Huh?

Do you mean SMTP (or SMTP32) processes in the Task Manager (which indicates 
E-mail being delivered, but you can't see what IPs are associated with 
them), or just log file entries?

Here is some of the things I am seeing...

03:25 00:05 SMTPD(010601AE) [66.239.112.100] connect 66.239.112.100 port 2217
03:25 00:06 SMTPD(010801AE) [66.239.112.100] connect 66.239.112.100 port 2221
There are normal, and just indicate your server talking to itself (most 
likely the IMail Monitor checking to make sure that the SMTP service is 
still up).

This is the IP of the mail server... connecting to itself? Port scanning I 
would assume.
No.  If it was port scanning, you'd see someone else's IP.  If it is port 
scanning, you've got serious problems, as someone already has access to 
your server.  Remember, too, that IMail only listens on port 25, so you 
would never see any port scanning attempts.

It did that throughout the night... then today...

03:25 04:31 SMTPD(01EF0204) [66.112.62.162] RCPT 
To:<<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]>
03:25 04:31 SMTPD(01EF0204) [66.112.62.162] ERR stmarieschamber.org 
invalid user <<mailto:[EMAIL PROTECTED]>[EMAIL PROTECTED]
That just indicates a spammer trying to relay mail through your server 
(unsuccessfully).

These look like the bounces from the hacker's spam.
Not bounces, they are just invalid relay attempts.  This is likely where 
the 100% CPU usage is coming from.

What do I look for in the log to find out exactly where this person is 
coming from? I can't seem to find any reference to an external IP so I can 
block it.
If 66.112.62.162 is your IP, that means you are running another mailserver 
-- you would have to check its logs to find out the IP sending the spam.

                                                   -Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches both viruses and vulnerabilities in E-mail, with no 
annual licensing fees.

---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/