Email server hacked??

martindijk · #1 October 23rd, 2003, 05:05 AM

Hi all,

Didn't know what hit me yesterday, as always i checked my email on my Win2000 server and i received 2100 mails back from the Postmaster.

All adresses were send to different names but always a "hotmail" domain.

Now it seems a korean guy is using my mailserver to propagate spam and everytime i check my mail i get hundreds of returned mail from the postmaster and our own internal mail can not be received anymore as a result of all those "hotmail" returned messages.

For now i have reconfigured the email server, but i haven't got a clue what is generating all this mail

Could this be the affect of a browser hack or something like that.

Please help me out here guys, any suggestion is welcome.

Thanks in advance,

cheers,
Martin

Pieter_Arntz · #2 October 23rd, 2003, 05:12 AM

Hi Martin,

Have you checked your list of processes for anything suspicious?
I have seen reports of trojan-like programs turning computers into spam relayers.

Regards,

Pieter

martindijk · #3 October 23rd, 2003, 05:19 AM

Hi Pieter,

Done that and at first glance it seems to be oké.

Is it worth running Hijack This on the server and have it checked out on this forum

rgds,
Martin

Pieter_Arntz · #4 October 23rd, 2003, 05:46 AM

Hi Martin,

I'd be happy to have a look if I can find something.

Regards,

Pieter

DiGi · #5 October 23rd, 2003, 08:07 AM

Maybe it was only wrong configured smtp server (open relay)...

Check http://www.ordb.org/

martindijk · #6 October 23rd, 2003, 08:14 AM

Hi DiGi,

Can you please tell me what that means to me : an open relay, and how this can solve my earlier mentioned problems??

cheers,
Martin

JayK · #7 October 23rd, 2003, 08:29 AM

Quote:

quoting: Martin vDijk link=board=21;threadid=15309;start=0#msg95578 date=1066911296]
Hi DiGi,

Can you please tell me what that means to me : an open relay, and how this can solve my earlier mentioned problems??

cheers,
Martin

If your mailserver is a open relay, it means anyone can send email from your smtp server.

Spammers love that of course.

Normally, you would have restrictions on who can use your smtp server, either by limiting by ip , or by allowing mail after a pop authication etc

JayK · #8 October 23rd, 2003, 08:34 AM

Another possibility (depending on the type of messages you are getting), some did a joe job on you.

IE someone spoofed your email addie by changing the
"Reply To" address .

You can't do much in this case.

martindijk · #9 October 23rd, 2003, 09:15 AM

Thanks all for your replies,

Is there an easy way of closing this open relay??

cheers,
Martin

JayK · #10 October 23rd, 2003, 09:20 AM

Quote:

quoting: Martin vDijk link=board=21;threadid=15309;start=0#msg95592 date=1066914955]
Thanks all for your replies,

Is there an easy way of closing this open relay??

cheers,
Martin

?? It depends on what mail server you are running. No offence but if you don't know what an open relay is , you really shouldnt be running a mail server.

Lots of security issues....

martindijk · #11 October 23rd, 2003, 09:34 AM

Iam running a Cobalt Cube 3, and as for the open relay aspect, it is just the english terms that confuses me, that's all.

cheers,
Martin

JayK · #12 October 23rd, 2003, 09:38 AM

Quote:

quoting: Martin vDijk link=board=21;threadid=15309;start=0#msg95598 date=1066916078]
Iam running a Cobalt Cube 3, and as for the open relay aspect, it is just the english terms that confuses me, that's all.

cheers,
Martin

Sorry. never heard of it. Try checking your documentation. Also are you certain yours is an open relay?

4NodAu · #13 October 27th, 2003, 02:58 PM

Hi,
VIEW: Thank U Nod32 Staff x 2 4NodAu ( Posted Tuesday 28th October 2003 Australian Time )

************

VIEW : http://www.sacm.co.za/Feature.asp?NewsID=6828&Cont=News

THIS NASTY CAME BY WAY OF AN OFFICIAL LOOKIN' MICROSOFT EMAIL PATCH FOR IE V'S 4.01 - 6.xx and win 95 - win xp.

MAYBE these ISP'S have got umpteen WORMS - TROJANS - VIRUSES imbedded and nasty TERRISTO'S are REMOTELY CONTROLLING THE SERVERS AND / OR DUMPING AND email ADDIES to these

BULK SENDERS OF EMAIL UNSOLICITED AND OR SPAMMMERS !!!

USE ADAWARE AND ALWAYS QUARANTIENE EVERYTHING CHECK IT IS ALWAYS ON. HURISTIC AND DEEP SCAN ON.

CHOOSE TO LEAVE ON SERVER AND MOVE TO TRASH ON EXIT SOUNDS A GOOD IDEA.

PERHAPS THE HACKERS HAVE THE ISP SERVERS SETUP TO KEEP PILES OF EMAILS THAT SHOULD HAVE BEEN DELETED ... THEN DUMP THEM ON US.

********************************

WE RECEIVED 20 + OF EXACTLY THE SAME BLOODY EMAIL FROM EXACTLY THE SAME SOURCE.

********************************

regards
4NodAu

4NodAu · #14 October 27th, 2003, 03:04 PM

Hi,
By the way ... MAYBE why you copped them back was that everyone's email server mail boxes were chockers like ours at telstra bigpond.com.au here in Aussie we were 101% FULL UP AND OVERFLOWING. WE WERE ADVISED BY EMAIL THAT THE BIGPOND SERVER WOULD REJECT ANY FURTHER EMAILS TO OUR ADDIE AND TO CLEAN OUT OR EMAIL BOX.

BLOODY NETSCAPE GOES IN EVER 10 MINUTES AND GETS OUR EMAILS !!

IT WAS JUST EMAIL KAYOS !!

regards
4NodAu.

martindijk · #15 October 29th, 2003, 12:17 PM

@Pieter, maybe you can find something, thanks in advance.

cheers,
Martin

Pieter_Arntz · #16 October 29th, 2003, 02:03 PM

Hi Martin,

Perfectly normal log for a Compaq ProLiant server.

Regards,

Pieter

martindijk · #17 October 30th, 2003, 07:56 AM

Hi Pieter,

Thanks for letting me know, i appreciate it.

cheers,
Martin

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search