Jump to content

Can't seem to find problem


jkee

Recommended Posts

thanks, i think bringing in the outside consultant is the way to go, we're spending more time (=money) researching this than it would probably take someone to come in and look at. thanks again to everyone, on the pros..

Link to comment
Share on other sites

I keep missing any of the signs that show you look back at things, but ... data point for the day;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .... 240%

Last 30 days .. 3.5 .... 305%

Average ........ 2.9

On the downward slide

Link to comment
Share on other sites

I keep missing any of the signs that show you look back at things, but ... data point for the day;

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day ........ 3.5 .... 240%

Last 30 days .. 3.5 .... 305%

Average ........ 2.9

On the downward slide

19255[/snapback]

Remember that the smtp/auth spammer (and others I suppose) will back off of a listed server for 3 or 4 days waiting for a delist and then start back up again. We see this quite often so looking at one day and see a magnitude decrease is not definitive.

Of course wandering into this thread in the middle I have probably missed the whole point of your post ...

Link to comment
Share on other sites

Remember that the smtp/auth spammer (and others I suppose) will back off of a listed server for 3 or 4 days waiting for a delist and then start back up again. We see this quite often so looking at one day and see a magnitude decrease is not definitive.

Of course wandering into this thread in the middle I have probably missed the whole point of your post ...

Yes. Please see my previous posts at http://forum.spamcop.net/forums/index.php?...indpost&p=19210 which set the first data point for the traffic flow from this IP ... then look at http://forum.spamcop.net/forums/index.php?...indpost&p=19223 which also included the scenario of the spammer letting the IP get delisted and then starting another spew run.

And by the way, current data is;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.0 ... 23%

Last 30 days ... 3.5 .. 306%

Average ......... 2.9

Link to comment
Share on other sites

Your mailserver appears to be running Microsoft Exchange Server 5.0 - according to MAPS:

Microsoft Exchange Server

    Status:  Commercial (Microsoft Corp.)

    Systems: Win/NT

    Info:    http://www.microsoft.com/

Versions through 5.0 are vulnerable to relay if they permit any local SMTP users. (Servers that only act as a gateway between internal non-SMTP mail and the Internet don't have relay problems.) In other words, if your Exchange 5.0 server is connected to the Internet, it WILL relay for anyone, and that cannot be stopped.

Starting with version 5.5, provisions have been made to prevent unauthorized relay. These are described in detail in an article from Windows NT Magazine [which was formerly here]. If you're running an older version, it's time to upgrade.

Microsoft has an article on their TechNet site that discusses securing Exchange 2000 and 5.5.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...