Email server hacked??

Hi all,

Didn't know what hit me yesterday, as always i checked my email on my Win2000 server and i received 2100 mails back from the Postmaster.

All adresses were send to different names but always a "hotmail" domain.

Now it seems a korean guy is using my mailserver to propagate spam and everytime i check my mail i get hundreds of returned mail from the postmaster and our own internal mail can not be received anymore as a result of all those "hotmail" returned messages.

For now i have reconfigured the email server, but i haven't got a clue what is generating all this mail

Could this be the affect of a browser hack or something like that.

Please help me out here guys, any suggestion is welcome.

Thanks in advance,

cheers,
Martin

 

Hi Martin,

Have you checked your list of processes for anything suspicious?
I have seen reports of trojan-like programs turning computers into spam relayers.

Regards,

Pieter

 

Hi Pieter,

Done that and at first glance it seems to be oké.

Is it worth running Hijack This on the server and have it checked out on this forum

rgds,
Martin

 

Hi Martin,

I'd be happy to have a look if I can find something.

Regards,

Pieter

 

Maybe it was only wrong configured smtp server (open relay)...

Check http://www.ordb.org/

 

Hi DiGi,

Can you please tell me what that means to me : an open relay, and how this can solve my earlier mentioned problems??

cheers,
Martin

 

If your mailserver is a open relay, it means anyone can send email from your smtp server.

Spammers love that of course.

Normally, you would have restrictions on who can use your smtp server, either by limiting by ip , or by allowing mail after a pop authication etc

 

Another possibility (depending on the type of messages you are getting), some did a joe job on you.

IE someone spoofed your email addie by changing the
"Reply To" address .

You can't do much in this case.

 

Thanks all for your replies,

Is there an easy way of closing this open relay??

cheers,
Martin

 

?? It depends on what mail server you are running. No offence but if you don't know what an open relay is , you really shouldnt be running a mail server.

Lots of security issues....

 

Iam running a Cobalt Cube 3, and as for the open relay aspect, it is just the english terms that confuses me, that's all.

cheers,
Martin

 

Sorry. never heard of it. Try checking your documentation. Also are you certain yours is an open relay?

 

Hi,
VIEW: Thank U Nod32 Staff x 2 4NodAu ( Posted Tuesday 28th October 2003 Australian Time )

************

VIEW : http://www.sacm.co.za/Feature.asp?NewsID=6828&Cont=News

THIS NASTY CAME BY WAY OF AN OFFICIAL LOOKIN' MICROSOFT EMAIL PATCH FOR IE V'S 4.01 - 6.xx and win 95 - win xp.

MAYBE these ISP'S have got umpteen WORMS - TROJANS - VIRUSES imbedded and nasty TERRISTO'S are REMOTELY CONTROLLING THE SERVERS AND / OR DUMPING AND email ADDIES to these

BULK SENDERS OF EMAIL UNSOLICITED AND OR SPAMMMERS !!!

USE ADAWARE AND ALWAYS QUARANTIENE EVERYTHING CHECK IT IS ALWAYS ON. HURISTIC AND DEEP SCAN ON.

CHOOSE TO LEAVE ON SERVER AND MOVE TO TRASH ON EXIT SOUNDS A GOOD IDEA.

PERHAPS THE HACKERS HAVE THE ISP SERVERS SETUP TO KEEP PILES OF EMAILS THAT SHOULD HAVE BEEN DELETED ... THEN DUMP THEM ON US.


********************************

WE RECEIVED 20 + OF EXACTLY THE SAME BLOODY EMAIL FROM EXACTLY THE SAME SOURCE.

********************************

regards
4NodAu

 

Hi,
By the way ... MAYBE why you copped them back was that everyone's email server mail boxes were chockers like ours at telstra bigpond.com.au here in Aussie we were 101% FULL UP AND OVERFLOWING. WE WERE ADVISED BY EMAIL THAT THE BIGPOND SERVER WOULD REJECT ANY FURTHER EMAILS TO OUR ADDIE AND TO CLEAN OUT OR EMAIL BOX.

BLOODY NETSCAPE GOES IN EVER 10 MINUTES AND GETS OUR EMAILS !!

IT WAS JUST EMAIL KAYOS !!


regards
4NodAu.

 

@Pieter, maybe you can find something, thanks in advance.

cheers,
Martin

 

Hi Martin,

Perfectly normal log for a Compaq ProLiant server.

Regards,

Pieter

 

Hi Pieter,

Thanks for letting me know, i appreciate it.

cheers,
Martin