jkee Posted October 26, 2004 Author Share Posted October 26, 2004 thanks, i think bringing in the outside consultant is the way to go, we're spending more time (=money) researching this than it would probably take someone to come in and look at. thanks again to everyone, on the pros.. Link to comment Share on other sites More sharing options...
Wazoo Posted October 26, 2004 Share Posted October 26, 2004 I keep missing any of the signs that show you look back at things, but ... data point for the day; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.5 .... 240% Last 30 days .. 3.5 .... 305% Average ........ 2.9 On the downward slide Link to comment Share on other sites More sharing options...
Ellen Posted October 27, 2004 Share Posted October 27, 2004 I keep missing any of the signs that show you look back at things, but ... data point for the day; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.5 .... 240% Last 30 days .. 3.5 .... 305% Average ........ 2.9 On the downward slide 19255[/snapback] Remember that the smtp/auth spammer (and others I suppose) will back off of a listed server for 3 or 4 days waiting for a delist and then start back up again. We see this quite often so looking at one day and see a magnitude decrease is not definitive. Of course wandering into this thread in the middle I have probably missed the whole point of your post ... Link to comment Share on other sites More sharing options...
Wazoo Posted October 27, 2004 Share Posted October 27, 2004 Remember that the smtp/auth spammer (and others I suppose) will back off of a listed server for 3 or 4 days waiting for a delist and then start back up again. We see this quite often so looking at one day and see a magnitude decrease is not definitive. Of course wandering into this thread in the middle I have probably missed the whole point of your post ... Yes. Please see my previous posts at http://forum.spamcop.net/forums/index.php?...indpost&p=19210 which set the first data point for the traffic flow from this IP ... then look at http://forum.spamcop.net/forums/index.php?...indpost&p=19223 which also included the scenario of the spammer letting the IP get delisted and then starting another spew run. And by the way, current data is; Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.0 ... 23% Last 30 days ... 3.5 .. 306% Average ......... 2.9 Link to comment Share on other sites More sharing options...
Jeff G. Posted October 30, 2004 Share Posted October 30, 2004 Your mailserver appears to be running Microsoft Exchange Server 5.0 - according to MAPS: Microsoft Exchange Server Status: Commercial (Microsoft Corp.) Systems: Win/NT Info: http://www.microsoft.com/ Versions through 5.0 are vulnerable to relay if they permit any local SMTP users. (Servers that only act as a gateway between internal non-SMTP mail and the Internet don't have relay problems.) In other words, if your Exchange 5.0 server is connected to the Internet, it WILL relay for anyone, and that cannot be stopped. Starting with version 5.5, provisions have been made to prevent unauthorized relay. These are described in detail in an article from Windows NT Magazine [which was formerly here]. If you're running an older version, it's time to upgrade. Microsoft has an article on their TechNet site that discusses securing Exchange 2000 and 5.5. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.