Jump to content
Sign in to follow this  
jkee

Can't seem to find problem

Recommended Posts

thanks, i think bringing in the outside consultant is the way to go, we're spending more time (=money) researching this than it would probably take someone to come in and look at. thanks again to everyone, on the pros..

Share this post


Link to post
Share on other sites

I keep missing any of the signs that show you look back at things, but ... data point for the day;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .... 240%

Last 30 days .. 3.5 .... 305%

Average ........ 2.9

On the downward slide

Share this post


Link to post
Share on other sites
I keep missing any of the signs that show you look back at things, but ... data point for the day;

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day ........ 3.5 .... 240%

Last 30 days .. 3.5 .... 305%

Average ........ 2.9

On the downward slide

19255[/snapback]

Remember that the smtp/auth spammer (and others I suppose) will back off of a listed server for 3 or 4 days waiting for a delist and then start back up again. We see this quite often so looking at one day and see a magnitude decrease is not definitive.

Of course wandering into this thread in the middle I have probably missed the whole point of your post ...

Share this post


Link to post
Share on other sites
Remember that the smtp/auth spammer (and others I suppose) will back off of a listed server for 3 or 4 days waiting for a delist and then start back up again. We see this quite often so looking at one day and see a magnitude decrease is not definitive.

Of course wandering into this thread in the middle I have probably missed the whole point of your post ...

Yes. Please see my previous posts at http://forum.spamcop.net/forums/index.php?...indpost&p=19210 which set the first data point for the traffic flow from this IP ... then look at http://forum.spamcop.net/forums/index.php?...indpost&p=19223 which also included the scenario of the spammer letting the IP get delisted and then starting another spew run.

And by the way, current data is;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.0 ... 23%

Last 30 days ... 3.5 .. 306%

Average ......... 2.9

Share this post


Link to post
Share on other sites

Your mailserver appears to be running Microsoft Exchange Server 5.0 - according to MAPS:

Microsoft Exchange Server

    Status:  Commercial (Microsoft Corp.)

    Systems: Win/NT

    Info:    http://www.microsoft.com/

Versions through 5.0 are vulnerable to relay if they permit any local SMTP users. (Servers that only act as a gateway between internal non-SMTP mail and the Internet don't have relay problems.) In other words, if your Exchange 5.0 server is connected to the Internet, it WILL relay for anyone, and that cannot be stopped.

Starting with version 5.5, provisions have been made to prevent unauthorized relay. These are described in detail in an article from Windows NT Magazine [which was formerly here]. If you're running an older version, it's time to upgrade.

Microsoft has an article on their TechNet site that discusses securing Exchange 2000 and 5.5.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×