Everything seems secure but my server accepts spam

[2binteractive]

Hi, our server seems secure but my server accepts spam via SMTP.

I added a part of the log where a spam session starts. With AUTH LOGIN, someone accesses our SMTP server, how can I solve this or see who it is?

Our mail IP is: 62.58.193.247

Thanks,

Rob.

R PORT=4421 220 2bexc2.2bi 2B Interactive SMTP server Mon, 9 Aug 2004 14:37:46 +0200

C PORT=4421 EHLO archer

R PORT=4421 250-2bexc2.2bi Hello [211.158.105.85] 250-TURN 250-ATRN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM LOGIN 250-X-EXPS=LOGIN 250-AUTH GSS

C PORT=4421 AUTH LOGIN

R PORT=4421 334 VXNlcm5hbWU6

C PORT=4421 xxxxxxxx

R PORT=4421 334 UGFzc3dvcmQ6

C PORT=4421

R PORT=4421 235 2.7.0 Authentication successful.

C PORT=4421 MAIL FROM: <acrossicings[at]cablespeed.com>

R PORT=4421 250 2.1.0 acrossicings[at]cablespeed.com....Sender OK

C PORT=4421 RCPT TO:<a.braun[at]delphi.com>

R PORT=4421 250 2.1.5 a.braun[at]delphi.com

C PORT=4421 DATA

R PORT=4421 354 Start mail input

C PORT=4421 To: a.braun[at]delphi.com Subject: GlVE THE GREATEST GIFT Mime-Version: 1.0 Content-Type: text/html

Src= 25,Dst= 4421,.A....,S=3723050093,L= 0,A= 417739194,W=65420

C PORT=4421 From: "Rosemary Barber"<acrossicings[at]cablespeed.com> To: a.braun[at]delphi.com Subject: GlVE THE GREATEST GIFT Mime-Version: 1.0 Content-Type: text/html

R PORT=4421 250 2.6.0 <2BEXC28BcT2QYpR9vbw000007de[at]2bexc2.2bi> Queued mail for delivery

[StevenUnderwood]

Well, I would get this fixed soon as you are currently only on SpamCop's list (http://www.spamcop.net/w3m?action=checkblock&ip=62.58.193.247), but senderbase is already showing a 530% increase in traffic from that IP (http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=62.58.193.247), so it is only a matter of time.

You do not mention what server software you are using so these are general solutions.

First I would remove the server from the internet and change all passwords. It sounds like this is a smtp-auth exploit. Spamcop has a write up on this problem at: http://www.spamcop.net/fom-serve/cache/372.html

Other help can be found in the currently-in-progress FAQ+ (http://forum.spamcop.net/forums/index.php?showtopic=2238 ) in the "Assistance stopping spam:" section.

Good luck and let us know how things progress and if you have any specific questions, please post them back here.

[2binteractive]

Thanks Steven, I already switched to another internal SMTP server (with other outside IP address because outgoing traffic was allmost not possible anymore. But it will take not much time before that one is blocked by SpamCop also.

We are using Exchange 2000 SP3.

I will read the suggested topics leave the sniffer running tonight and let you know as soon as I know more about the problem.

Rob.

Well, I would get this fixed soon as you are currently only on SpamCop's list (http://www.spamcop.net/w3m?action=checkblock&ip=62.58.193.247), but senderbase is already showing a 530% increase in traffic from that IP (http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=62.58.193.247), so it is only a matter of time.

You do not mention what server software you are using so these are general solutions.

[Chris Parker]

Sounds like an SMTP AUTH Hack. The best thing to do is disable all unneeded accounts and change passwords for all existing accounts and assuring that they are non-trivial (not simple dictionary words, but should include letters, numbers, and other characters [,.;/_+=etc] if possible).

[Derek T]

We are using Exchange 2000 SP3.

Then the solution could lie in something called 'Mandrake 10.0'

[GraemeL]

Hi, our server seems secure but my server accepts spam via SMTP.

I added a part of the log where a spam session starts. With AUTH LOGIN, someone accesses our SMTP server, how can I solve this or see who it is?

Our mail IP is: 62.58.193.247

Hi there,

I sent you a reply by email rather than the forum as I found the exact cause of your problem. Please post here if you do not get that email.

[Merlyn]

You should turn all your servers off now untill someone can fix them for you. You are allowing spammers to use your network to send their spam. They are probably using a Guest Account or a System account to login so your servers are compromised.

If you keep changing IP's pretty soon your ISP WILL disconnect you.

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

Only an irresponsible person would allow their machines to be connected to the net knowing they are compromised.

As Ellen would say:

"This exploit allows spammers to relay thru your exchange server. This relaying does not show up using standard open relay tests as the spammer has gained 'legal' access to your server by hacking an account/password combination."

[2binteractive]

Problem is solved thanks to email from GraemeL.

One account had a blank password.

Thanks everybody for your support.

Rob.

[Derek T]

Problem is solved thanks to email from GraemeL.

One account had a blank password.

I am pleased to hear it, and don't wish to pour cold water but....

The senderbase data still shows an 8-fold increase in traffic over the last 24 hrs.

Could the spammers, having once taken over your machine, have created other accounts? installed malware? as others here will probably say, to be sure you need to disconnect from the internet and at least re-format then issue new accounts with strong passwords and, of course, disenable the default accounts that M$ so helpfully (to the spammers) enables as default.

My previous comment still stands - replace M$ with Linux for a more secure server. If you must keep Exchange then put a *nix server between it and the internet.