Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About TomMynar

  • Rank
  1. TomMynar

    SBS 2003 Network Tool allows relaying

    Well, that *may* be true that we have weak passwords. But wouldn't the external SMTP server have to be permitted in the list of "only allow the following IP" ? Since I only have and <laniphere>, that external box *should* be coming in with the IP address of the router/firewall G/W number (NAT enabled), correct ? The Exchange server is having NO difficulty accepting and transmitting email, without those IPs in the list. POP protocol was enabled, I've disabled it (not needed anyways). But since I can't predict when this external source is attacking (I suspect all the time), I do *not* know I've stopped the problem. Thanks Sorry, that didn't help any. I've already gone through all of the things he has gone through on the firewall and the server. Thanks for searching. Tom
  2. When running the Connect to Network tool in SBS 2003, it creates 2 entries in the RELAY section of the SMTP Virtual Server. and the local machine's IP address. If I leave these in, someone is getting into the server and using it to relay messages-as if they were permitted. If I remove these entries, SBS can no longer send out its' statistical reports (all other mail is sent out fine ). What is it that is allowing these hackers to get THROUGH the Fortinet firewall and abUSE my server :angry: ? Or do I still have something (client) internal on the LAN that is doing this ? Yes, I have TrendMicro on all the clients and servers. My servers/clients are up to Microsoft patch levels. Anyone got an idea ? Tom
  3. The comment on the telnet was that "I am announcing my Exchange server". Well, if you telnet to port 25 on mail.blahblah.com, does the Exchange server not say (in not so many words): "Hi, I'm Exchange, what do you want today" to the EHLO command ? So WHO cares if some searching BOT looks for Exchange Servers and attempts to find unpatched machines. ARE THEY NOT DOING THAT ANYWAYS ? In regards to the comment of a security issue logging into the Exchange Server to get email. Ah hem, HOW exactly to you retrieve email from a SERVER that is NOT the EMAIL SERVER ? I guess this is a LINUX thing. I know that M/S changed things in Exchange/WindowServer 2008 that you have roles defined by different servers. Such that the server for communicating to phones and OWA and things like that can be separate from the server doing the actual storage of data. However, that requires investment in additional servers (hardware) for handling 11 mailboxes. Not exactly cost effective. Of course now that I've gotten ourselves removed from all the blacklists, our email addresses are now out there and the amount of spam attributed to us is multiplied. Several users (ex-infected machines) are now receiving "cannot be delivered" spoofed mails (I can see that some of the replies back contain the original email header with an IP address unknown to me). Man, 1 little problem... Thanks Tom Sorry to hear about your family illnesses. Try and take it easy.
  4. "which IP address are we talking about" "moving the IP address" I have a 5 block subnet from mpower. When .251 would get blocked, I would tell the router to output (from all internal sources) to .250. When that got blocked too, I moved it to .249, etc. Obvously NOT a solution So, I seperated the two email servers so one used the Fortinet router on .251 and the other used a cheapie router on .249. Then I watched for things to expire in the bl listings. .251 kept getting relisted, the .249 didn't. So, it made me think "what is different ?". On the .249 side (the clients are NOT local) I had what I knew to be infected machines (verified today when I went out there, that was the 80 mile away client). I wiped one machine and upgraded it from Win2K to WinXP Pro w/Trend. I scanned the other machine (XP Pro) and cleaned 1 trojan and several suspicions EXEs. I then checked the .251 lan and realized I had a Wireless router on the LAN side. I also noticed an employee with an unauthorized laptop sitting under his bench in the warehouse. I unplugged the wireless router (not really in use anyways) this morning. I have seen no more evidence of crap being sent out. I am going to leave it off to make sure the spyware is not just being stealth for a while (that is, not on the suspected laptop). I am working with Fortinet support to setup the firewall settings to ONLY allow the SERVER to send out port 25 and block all other clients from using 25. I will then "sniffer" the network and turn the wireless back on and see if the traffic comes in over the wireless IP (we are far enough away from other buildings that it is unlikely someone else is using it). I have to learn how to use the sniffer software though. Not a pleasant task I believe. Oh, Ellen did not give me any further detail of the emails found-just the generic header text which sending IP, domain name, time sent, etc.), so I couldn't find out any forwarding IP's that would be in the ethernet packets that would tell me where the router was to send the packet back to. Of course, my understanding of how a router compiles a packet is that it sends out its' own IP for the return packet trip and has a private area that the receiver is supposed to keep attached where my router embeded the internal LAN IP of the packet it is routing (that took a long breath to say). "https:..../exchange" Why is this alarming ? Doesn't a simple telnet to port 25 on a domain preceeded with "mail." tell them who they are talking to ? I'll have to go back and test that. I guess I could create some kind of Java applet to give the company employees an sneaker link to the server. Tom
  5. How do I tell which client is sending out crap ? I ran Trend and it discovered nothing. I have 26 client desktops, all running Windows XP SP2. I isolated the 2nd email server onto its' own router. So I have 1 router (Fortinet 100A) with 1 Exchange server and the clients. If I turn OFF outbound SMTP traffic from Exchange, the only traffic should be the infected client-correct ? So how do I identify that IP ? I installed Winshark on my desktop. "using other than port 25" How can a client using something other than port 25 communicate with a conversation through the firewall with another email server (or spambot listener) ? Shouldn't the email server ignore anything except port 25 ? Sorry if you feel offended if I call this forum a blog site, not sure what would be the P.C. name to use. The IP address was correctly identified in the 216 area. I've tried moving the outbound IP to get around being blocked, but obviously I need to find the offending client to fix the problem. The traffic on the router is very quiet today. But Ellen told me that sometimes the spyware/etc. programs get real smart and go quiet to avoid you finding them for a while. Feel free to change the thread title to "Confused admin-what is spamcopy telling me". Or something you think is more suitable (probably just the first part). Thanks Tom
  6. "I guess I am not understanding how spamcop works." Yes, you are correct. I don't understand how my Exchange 2003 server is being blamed for crapping. It is not sending crap, it is sending what the client is sending. JUST LIKE HOTMAIL, EARTHLINK, etc. The "server" or "operating system" is NOT infected. How do I prove that to parties that can't listen (servers I'm sending legitimate mail to) who use spamcop information to base traffic on ? For those of you who know (or care): I turned off all outbound SMTP traffic on the 2 servers. I monitored SMTP traffic on the router. It ALL stopped (or practically, there was some small noise-I think inbound requests to connect). That PROVES the server is NOT sending crap. It proves that MY inside network is NOT sending crap. Otherwise, the SMTP traffic on the router would have continued to flow. I turn outbound back on, hum-a couple hours later my IP is reported as a crapper. So WHY is the IP address blocked ? I still have not heard from the "users" why this needs to be done. What is it that spamcop is preventing ? It is NOT stopping the CAUSE of the problem (him), just affecting me (or, my servers). "other people use the information, it is not spamcop's fault". OK, I guess this goes with the flawed philosophy "people kill people, guns don't". If what I believe to be inaccurate information is being spread (let's say, weapons of mass destruction reports) and someone is using that information to base a decision on (I won't put the implied example here), then is it the fault of the person making the decision or the person collecting the information OR BOTH ? Now, here I am the 3rd party being affected by what spamcop is doing. SO WHO ELSE DO I TALK TO SINCE MY EMAILS TO DIGITALRIVER ARE BEING BLOCKED SUCH THAT I CAN'T COMPAIN THAT THEY ARE BEING BLOCKED. "there are other companies doing the same thing, eventually you will get into those lists also." OK, when ? I haven't for the last 2 weeks that I've been working on this issue with spamcop ? So, that sounds to me like spamcop is TOO sensitive to determining who is and who isn't an abuser. Otherwise, the "other guys" would have listed me LONG ago. So guess what guys/gals ? I'm listed again this morning. Everything was fine this weekend (I got delisted on Sunday), the "guy" gets into work today, starts up his Outlook-and boom. I'm listed. I change the outbound IP address of my router, an hour later-that IP is listed. I'm trying to get out to his site and work on his computer, but he lives 80 miles from me. Not an easy place to get to. PLEASE GIVE ME SOME ASSISTANCE IN MAKING THIS STOP. Just because I "fix" one computer, it only takes a busy little teenager to download something on a laptop and he'll be back in business spreading the crap. I need a LONG TERM solution. Spamcop is NOT that. Thanks for the discussion. Sorry I didn't quote the messages directly from the thread, I don't know how to do that with this blogging software. Tom
  7. Please understand my frustration. We (the industry) are using IP addresses in databases to stop CRAPemail (OK, I won't use the four letter word that is imbedded in your site name since you feel I am using it against some copyright laws of Hormel, not sure why it is OK for you to use it inside of your name...). I don't think that using that technique is working very well. When CRAPemail servers were located off-shore and would send bulk CRAP, they were easy to find, easy to block. But now, the FBI reported that last year over 15 MILLION home PCs are infected with BOTs. So, you (pluaralized definition: SPAMCOP type databases) use the IP addresses. So, the BOT writers have changed to now pretend to be someone else in their efforts to cause havic. Depending on the sophistication of organizations "like" SPAMCOP.NET, some valid IPs are being reported incorrectly. My question is, why do we use an unreliable method of tracking IP addresses (which can be spoofed) to stop spam ? In my particular instance, I have discovered a software package with an apparent bug (Argosoft MailPro) which is allowing a rough PC to send email CRAP. My complaint is that email servers (I have 3) that were NOT the one causing the problem were being wrongfully accused and subsiquently blocked. Since all 3 servers (the bad one plus the 2 good ones) run on the same router-they transmit on the same IP address ( Second complaint-Yahoo and Hotmail (who are listed as the top CRAPers in the SPAMCOP.NET statistics page) are NOT being blocked. Here I am, with 1 user with CRAP BOTs running on his PC is causing innocent servers to be blocked because I can't afford to take legal action against SPAMCOP.NET, where Yahoo and Hotmail or huge MAILhouses can. Because of the work of Ellen at SPAMCOP.NET (who instead of ignoring my requests like others in the organization), helped me figure out where the REAL trouble was coming from (not just a generic IP address number). Thanks for letting me vent on this. I've moved the user OFF of ArgoSoft MailPro and onto an Exchange 2003 server and the last 24 hours have seemed to stop the CRAP. Although, COX.NET is now telling HIM that HIS IP address is now being blocked, even from WebMail....but that's a project to fix next week. Thanks Tom
  8. OK, here's the scenario: A computer gets infected with a BOT, it reads the user's computer and sends out spam claiming to be from a 3rd party. This 3rd party is then reported to SPAMCOP as being a SPAMMER and inserted into the SPAMCOP database. When IN FACT, the 3rd party server is NOT a SPAMmer. So, how do we fix this ? Must I check (as the server admin) your database every 2 hours of the day to make sure someone hasn't submitted me (incorrectly) so that I can make a request to remove it in the next 2 hours ? Come on guys, I'm running a legitimate business here with THREE users and you are blocking ALL of his emails to Belgium. I would appreciate a response. Tom