Jump to content

TMG

Members
  • Content Count

    9
  • Joined

  • Last visited

Community Reputation

0 Neutral

About TMG

  • Rank
    Newbie
  1. Well actually, the 'bin' isnt entirely correct! These are workstations that arent up to the task of running our current applications anymore. Some of them get used for 'test' machines(we calibrate sceintific equipment and can use some of the older PC's as GPIB interfaces to the equipment), some of them with problems are kept for spare parts to maintain other older machines and usually the only ones that actually get thrown in the bin(unless any of the staff want them) are those that have been canabalised to fix other machines and are no longer worth the space they take up! We're a small family owned business so the IT budget isnt big! But we did just upgrade a bunch of PC's not long ago and the offending PC in this case was one they stole to use as a GPIB interface but the software hadnt been updated since it was removed from the network about 12 months ago.
  2. Yep I believe the problem is resolved. It appeared to be a hijacked client machine on the LAN which was generating the spam mail. The machine was actually not even supposed to be on the network, it was sitting in a pile of decomissioned workstations ready for the bin, a couple of our employee's decided they still had a use for it so plugged it back in, even though the software was outdated and unpatched and it did not show on my anti virus network administration tool so I was unaware for a while that it was even on the network with outdated anti virus software. :angry: A scan on the troublesome PC revealed it was riddled with virus infections. I removed this workstation, blocked all outgoing port 25 traffic at the firewall except for the mail server address. I also tightened our mail server security a little but this was more of a preventative measure as the spam mail from this scenario was not using our network mail server(I could not find any reference to the mail in the mail server logs) Thanks for the help in tracking the problem down everyone.
  3. Ok, this morning Senderbase is reporting traffic is back down to 115% for the last 24hrs and so far we havent re-appeared on the list. I'll keep and eye on it over the next few days to make sure I've fixed the problem.
  4. ...actually I just had a thought, seeing that the traffic down -100% yesterday after the weekend, could the 1435% increase shown by senderbase be normal for us moving from sunday with no one on the system to Monday when everyone is back at work sending email?
  5. Yes that is correct. One public IP and I use port mapping from the firewall to direct mail etc to the correct internal addresses. We only have approx 25 users on the network. Yes but we have been on and off the list about 4 or 5 times in the last week. So as soon we are removed we are back on again within 12-24 hrs? Yep that is correct, we reject anything that does not match a valid address on our system. We get a lot of spam attempting to be delivered to invalid usernames on our system. I just got in this morning and checked senderbase again and our volume change is back up at 1435%!? I was hoping I had fixed the problem yesterday?
  6. We do have remote mail access enabled but AFAIK Notes uses its own routing protocol from the Notes client to the server. I will investigate if SMTP remote access is enabled as well but I dont think it is. Our users log into our mail server remotely but via their own ISP connections and only using the Notes client. If someone managed to hack a users login to our mail server, wouldnt the extra email traffic show in the email server logs? Senderbase showed a -100% traffic decrease in the last 24 hours (its Monday here). The mail server is on 24/7 but our network client PC's are all switched off over the weekend so is this another clue pointing towards a hijacked LAN client machine causing the problem? I have removed a suspect client machine from the LAN and to the best of my knowledge have restricted outgoing port 25 traffic to just the 2 Linux servers, so we will see what happens in the next couple of days?
  7. Ok, sorry I havent been back to check this forum for a few days but we are listed again now. So it appears it could be a virus infected machine on the network which could be causing this? Our mail server is Linux running Notes/Domino 6 so I would be extremely suprised if it was infected by a virus. I have had issues with one machine on our network being infected the last week or so. I thought I had fixed it though, I will take it off the network and see if it resolves the problem. All our internal IP's are in the 10.0.0 range though and we use NAT on our firewall so I dont know where that 192.168.217.38 address came from? I will check out port 25 on our firewall and see if I can restrict internal usage to just our mail server. I'm the only network admin here and we arent a large organisation. My main job is application development so I'm no mail server/network admin guru. but I know enough to get myself into trouble! Thanks very much for the help so far guys, I will check out the suggestions here reply back if it doesnt resolve the problem.
  8. ...yeah I did see that, which made me wonder if one of our network client PC's may have been infected by a virus which is sending out these emails? The mail server logs show no sign of the increased email traffic?
  9. I discovered we had been listed on spamcops DNS blacklist when some of our emails were returned with a message stating so. We run our own mail server. We did not receive any notification emails from Spamcop as I believe they were sent to an address for our ISP who owns our IP address: 202.130.197.246 We were first listed a couple of days ago, when I checked it out the report said we would be removed in 24 hours. We did get removed but within 12 hours were back on again? I am trying to find out why we are being listed, we only send out one bulk email list but I dont believe this has been sent in the last 2 days so I cant see how this could be the cause if we have been listed again in the last few hours? Is it possible that a virus infected PC on our LAN could be the culprit? Can we get the original spamcop notification emails resent to myself so I have a little info to go with? cheers...
×