|
Home > Archive > IIS and SMTP > November 2004 > Help, I've been hijacked! :-(
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Help, I've been hijacked! :-(
|
|
| Bill Seymour 2004-09-22, 9:27 pm |
| I'm running the POP3/SMTP package that comes with Windows 2003 Server. I've
got it setup with about ten or twenty user accounts in three different
domains. Authentication is done with the encrypted password file method.
The SMTP server is configured to allow relay for authenticated users only.
I installed a server level virus package this weekend and noticed today that
the system was pulled to it's knees by something (quad Xeon P3s with a bit
more than a gig of ram). On checking, I find that there are something like
26,000 messages queued up for transmit and my System logfile is full. I'm
thinking the bogged down portion of my problem is just the virus scanner
doing it's job of checking all these messages for viruses. The fact that
there are so many messages to check, however, is a different problem.
Anyone have ideas on how I was hijacked to relay all this SPAM? And, more
importantly, how to fix it? For now, I've just disconnected the router, but
that makes it a little tough for legitimate users to do their thing...
(When I just shut the SMTP and POP3 services down, I was still seeing way
too many incoming message requests on my sniffer.)
Bill
| |
| Ken Schaefer 2004-09-22, 9:27 pm |
| a) Allowing authenticated users to relay means that someone can attempt to
guess a password - are you sure all your users have "good" passwords?
b) Are you sure the spam is 3rd party spam (ie it's not spam addressed to
one of your users - I would doubt that if it was 28,000 messages...)
c) What do you mean "hijacked"? Do you mean that someone compromised your
server and changed the settings to allow 3rd party relay?
d) In IIS Manager, right-click on "default SMTP virtual server". On the
"Access" tab click the "Relay" button. What do you have listed in the
"computer" section? And is the radio button set to "Only the list below" or
"All except the list below"?
Cheers
Ken
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I'm running the POP3/SMTP package that comes with Windows 2003 Server.
> I've got it setup with about ten or twenty user accounts in three
> different domains. Authentication is done with the encrypted password
> file method. The SMTP server is configured to allow relay for
> authenticated users only. I installed a server level virus package this
> weekend and noticed today that the system was pulled to it's knees by
> something (quad Xeon P3s with a bit more than a gig of ram). On checking,
> I find that there are something like 26,000 messages queued up for
> transmit and my System logfile is full. I'm thinking the bogged down
> portion of my problem is just the virus scanner doing it's job of checking
> all these messages for viruses. The fact that there are so many messages
> to check, however, is a different problem. Anyone have ideas on how I was
> hijacked to relay all this SPAM? And, more importantly, how to fix it?
> For now, I've just disconnected the router, but that makes it a little
> tough for legitimate users to do their thing... (When I just shut the SMTP
> and POP3 services down, I was still seeing way too many incoming message
> requests on my sniffer.)
>
> Bill
>
| |
| Peter Karsai 2004-09-22, 9:27 pm |
| Hello Bill,
Make sure that you do not have the Guest account enabled (see
www.vamsoft.com/orf/authattack.asp).
Peter
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I'm running the POP3/SMTP package that comes with Windows 2003 Server.
I've
> got it setup with about ten or twenty user accounts in three different
> domains. Authentication is done with the encrypted password file method.
> The SMTP server is configured to allow relay for authenticated users only.
> I installed a server level virus package this weekend and noticed today
that
> the system was pulled to it's knees by something (quad Xeon P3s with a bit
> more than a gig of ram). On checking, I find that there are something
like
> 26,000 messages queued up for transmit and my System logfile is full. I'm
> thinking the bogged down portion of my problem is just the virus scanner
> doing it's job of checking all these messages for viruses. The fact that
> there are so many messages to check, however, is a different problem.
> Anyone have ideas on how I was hijacked to relay all this SPAM? And, more
> importantly, how to fix it? For now, I've just disconnected the router,
but
> that makes it a little tough for legitimate users to do their thing...
> (When I just shut the SMTP and POP3 services down, I was still seeing way
> too many incoming message requests on my sniffer.)
>
> Bill
| |
| Bill Seymour 2004-09-22, 9:27 pm |
| Thanks for the response Ken.
a) All the users have reasonably good passwords, ie., ones that won't be
found with a simple dictionary lookup scheme. I don't know that all users
are using unique passwords on my system though, and it'd be feasible for
someone to have been careless with their password elsewhere.
b) It's all (or at least the messages I went through) 3rd party SPAM. Sent
from some server in Korea, routed to email users who read one of the Asian
languages (I can't read it, and don't easily recognize the different between
Chinese, Korean or Japanese text).
c) I don't know if someone has compromised my server, or if I missed a step
when setting it up originally... I'd guess the second choice is more
likely. :-(
d) Nothing is listed in the computer section. Radio button is set to 'All
except the list below'. 'Allow all computers which successfully
authenticate to relay' box is checked.
Here's an example header (filename is NTFS_ffdb994a01c49d4b0000942b.EML
(7.20 KB).msg.msg):
From: <aalou@°í°´´Ô>
To: <aalou@weppy.com>
Subject: aalou °í°´´Ô...Á¦24ȸ ±Ý»êÀλïÃàÁ¦±â³ä ¼³¹® À̺¥Æ®~~@
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary=
"----=_NextPart_000_00F6_CA6F584E.59CA2DE7"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Return-Path: bbbb@65.183.221.249
Message-ID: <SERVERNEVJpjc0D543T0000238a@server>
X-OriginalArrivalTime: 18 Sep 2004 06:52:01.0421 (UTC)
FILETIME=[FFE03BD0:01C49D4B]
Date: 17 Sep 2004 23:52:01 -0700
Is there a way I can check to see how message got through to my system? I'm
assuming it was authenticated, and therefore there should be some way to
tell me which user's info was used...
Best regards,
Bill Seymour
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%2389QiIrnEHA.324@TK2MSFTNGP11.phx.gbl...
> a) Allowing authenticated users to relay means that someone can attempt to
> guess a password - are you sure all your users have "good" passwords?
>
> b) Are you sure the spam is 3rd party spam (ie it's not spam addressed to
> one of your users - I would doubt that if it was 28,000 messages...)
>
> c) What do you mean "hijacked"? Do you mean that someone compromised your
> server and changed the settings to allow 3rd party relay?
>
> d) In IIS Manager, right-click on "default SMTP virtual server". On the
> "Access" tab click the "Relay" button. What do you have listed in the
> "computer" section? And is the radio button set to "Only the list below"
> or "All except the list below"?
>
> Cheers
> Ken
>
> "Bill Seymour" <billsey@dsl-only.net> wrote in message
> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
>
>
| |
| Bill Seymour 2004-09-22, 9:27 pm |
| Hi Peter, there is a Guest account (as expected) and it is disabled (also as
expected). Should I delete it entirely, or is having the guest account
disabled not enough by itself?
Bill
"Peter Karsai" <peter.karsai@enternet.hu> wrote in message
news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl...
> Hello Bill,
>
> Make sure that you do not have the Guest account enabled (see
> www.vamsoft.com/orf/authattack.asp).
>
> Peter
>
> "Bill Seymour" <billsey@dsl-only.net> wrote in message
> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I've
> that
> like
> but
>
>
| |
| m.marien 2004-09-22, 9:27 pm |
|
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OGQEVI1nEHA.2684@TK2MSFTNGP11.phx.gbl...
> Thanks for the response Ken.
>
> a) All the users have reasonably good passwords, ie., ones that won't be
> found with a simple dictionary lookup scheme. I don't know that all users
> are using unique passwords on my system though, and it'd be feasible for
> someone to have been careless with their password elsewhere.
>
> b) It's all (or at least the messages I went through) 3rd party SPAM.
> Sent from some server in Korea, routed to email users who read one of the
> Asian languages (I can't read it, and don't easily recognize the different
> between Chinese, Korean or Japanese text).
>
> c) I don't know if someone has compromised my server, or if I missed a
> step when setting it up originally... I'd guess the second choice is more
> likely. :-(
>
> d) Nothing is listed in the computer section. Radio button is set to
> 'All except the list below'. 'Allow all computers which successfully
> authenticate to relay' box is checked.
>
That lets everybody relay. It doesn't matter is they authenticate or not. I
think you want to change this to:
Only the list below
This will stop all relaying. The exception then is if they can authenticate,
then they can relay. You might also want to make sure the Anonymous access
is unchecked.
[snip the rest]
| |
| Bill Seymour 2004-09-22, 9:27 pm |
| OK, I changed that checkbox and I don't seem to be getting new messages into
the queue, but then they might have been coming in bursts, so I won't know
for sure for a day or so. The problem is that now the legitimate users also
can't send or receive email. Perhaps the authentication process is set
wrong...
Bill
"m.marien" <mm AT RiverCityCanada DOT com> wrote in message
news:10kuuomacsc9l44@corp.supernews.com...
>
> That lets everybody relay. It doesn't matter is they authenticate or not.
> I think you want to change this to:
>
> Only the list below
>
> This will stop all relaying. The exception then is if they can
> authenticate, then they can relay. You might also want to make sure the
> Anonymous access is unchecked.
| |
| Ken Schaefer 2004-09-22, 9:27 pm |
| The guest account should be disabled, and in any case it's not the source of
your spam.
Cheers
Ken
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:u590T21nEHA.1712@tk2msftngp13.phx.gbl...
> Hi Peter, there is a Guest account (as expected) and it is disabled (also
> as expected). Should I delete it entirely, or is having the guest account
> disabled not enough by itself?
>
> Bill
>
> "Peter Karsai" <peter.karsai@enternet.hu> wrote in message
> news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl...
>
>
| |
| Ken Schaefer 2004-09-22, 9:27 pm |
|
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OGQEVI1nEHA.2684@TK2MSFTNGP11.phx.gbl...
> d) Nothing is listed in the computer section. Radio button is set to
> 'All except the list below'. 'Allow all computers which successfully
> authenticate to relay' box is checked.
This is the reason you are getting the spam. You are allowing anyone to
relay through your server.
Change the checkbox to "only the list below". Add any trusted IP addresses
(eg IP subnets on your internal LAN)
Cheers
Ken
| |
| Ken Schaefer 2004-09-22, 9:27 pm |
| Hi,
a) Reading the documentation is a good start. It covers a lot of
information, and gives you a good background on what you need to do (eg what
clients you can use) for authentication purposes
b) Are your users on an internal trusted LAN? or are they roaming out on the
internet? If they are on the trusted LAN, add your LAN's IP
addresses/subnets to the "only the list below" in the dialogue. If they are
roaming out on the internet you will need to:
- select an authentication mechanism. IIS supports Basic and Integrated
Windows Authentication (this is actually NTLM v2 authentication)
- ensure that the users have a compatible email client. Only Microsoft
email clients (eg Outlook Express and Outlook), and maybe a handful of 3rd
party clients support NTLM v2 authentication. The rest only support Basic.
If you are using Basic auth, then the user's username/password is passed in
clear-text across the internet *unless* you enable TLS (Transport Layer
Security). TLS is basically the same as SSL (that websites use), and
encrypts the traffic between the server and client. If you already have a
certificate for your website, then you can reuse that for your SMTP server
(if the DNS names are the same).
c) <shameless plug> There's a whole chapter on securing MS SMTP server and
MS POP3 server in the IIS6 security book that I co-wrote:
http://www.amazon.com/exec/obidos/A...dopenstati0f-20 If you
want to get up-to-speed on IIS6 security quickly, then this might be a
worthwhile investment</shameless plug>
Cheers
Ken
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:u3XJRa3nEHA.1712@tk2msftngp13.phx.gbl...
> OK, I changed that checkbox and I don't seem to be getting new messages
> into the queue, but then they might have been coming in bursts, so I won't
> know for sure for a day or so. The problem is that now the legitimate
> users also can't send or receive email. Perhaps the authentication
> process is set wrong...
>
> Bill
>
> "m.marien" <mm AT RiverCityCanada DOT com> wrote in message
> news:10kuuomacsc9l44@corp.supernews.com...
>
>
| |
| Bill Seymour 2004-09-22, 9:27 pm |
| Thanks again Ken.
a) I've been working my way through the documentation for a long time now,
but I'm sorry to say that I'm still too much in the dark. :-(
b) The users are all out there on the internet. I'm not able to use IP
addresses, since most have dynamic addresses, and they often connect through
different computers (ie., from work and from home). I'm setup for encrypted
password file authentication, since I understand that using Windows
authentication requires that I setup a Windows account for each user, rather
than just an account for the POP3/SMTP server. I haven't enabled TLS, I'd
like to get things at least working again before I complicate things. Right
now, no one is able to authenticate, so no one can send or receive email...
Does the encrypted password file stuff work?
C) Thanks, I placed an order. It's liable to be a week or so before it
arrives though...
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eQasbN4nEHA.2340@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> a) Reading the documentation is a good start. It covers a lot of
> information, and gives you a good background on what you need to do (eg
> what clients you can use) for authentication purposes
>
> b) Are your users on an internal trusted LAN? or are they roaming out on
> the internet? If they are on the trusted LAN, add your LAN's IP
> addresses/subnets to the "only the list below" in the dialogue. If they
> are roaming out on the internet you will need to:
> - select an authentication mechanism. IIS supports Basic and Integrated
> Windows Authentication (this is actually NTLM v2 authentication)
> - ensure that the users have a compatible email client. Only Microsoft
> email clients (eg Outlook Express and Outlook), and maybe a handful of 3rd
> party clients support NTLM v2 authentication. The rest only support Basic.
> If you are using Basic auth, then the user's username/password is passed
> in clear-text across the internet *unless* you enable TLS (Transport Layer
> Security). TLS is basically the same as SSL (that websites use), and
> encrypts the traffic between the server and client. If you already have a
> certificate for your website, then you can reuse that for your SMTP server
> (if the DNS names are the same).
>
> c) <shameless plug> There's a whole chapter on securing MS SMTP server and
> MS POP3 server in the IIS6 security book that I co-wrote:
> http://www.amazon.com/exec/obidos/A...dopenstati0f-20 If you
> want to get up-to-speed on IIS6 security quickly, then this might be a
> worthwhile investment</shameless plug>
>
> Cheers
> Ken
| |
| Ken Schaefer 2004-09-22, 9:27 pm |
|
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:u3aR$m4nEHA.4032@TK2MSFTNGP15.phx.gbl...
> Thanks again Ken.
>
> a) I've been working my way through the documentation for a long time now,
> but I'm sorry to say that I'm still too much in the dark. :-(
That's OK - it'll start to make sense over time as you actually play with
stuff. Too many people don't even have an idea of what they're doing at all
because they don't read the instructions
> b) I'm setup for encrypted password file authentication, since I
> understand that using Windows authentication requires that I setup a
> Windows account for each user, rather than just an account for the
> POP3/SMTP server. I haven't enabled TLS, I'd like to get things at least
> working again before I complicate things. Right now, no one is able to
> authenticate, so no one can send or receive email... Does the encrypted
> password file stuff work?
OK, the "encrypted file" thing - that's for the POP3 server *only* (as far
as I remember - I'll look into this for you). It's not something that users
can use to authenticate to the SMTP service to relay mail. To use the "allow
computers who authenticate to relay" option (again, as far as I can
remember - I could be wrong here), the user will need a Windows account, and
use that username/password to authenticate to the SMTP server. If you enable
Basic Auth here, then you should consider using TLS to ensure that the
credentials are encrypted between user and server.
Cheers
Ken
> C) Thanks, I placed an order. It's liable to be a week or so before it
> arrives though...
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:eQasbN4nEHA.2340@TK2MSFTNGP11.phx.gbl...
>
>
| |
| Peter Karsai 2004-09-22, 9:27 pm |
| Hi Bill,
It is enough to disable the Guest account, but you should also check other
accounts with common names. In one particular case the hijacked user name
was "test" (no password configured), it took maybe 15 minutes for the
spammers to discover the account and start relaying spam via the server.
If you suspect that there is authenticated relaying, you may want to monitor
the authenticated session usage. You can do that easily ORF
(http://www.vamsoft.com/orf -- yes, it's a shameless self-plug  , because
it logs the authenticated user by default (the 30-day trial will also log
that, no need to buy if you don't want).
Peter
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:u590T21nEHA.1712@tk2msftngp13.phx.gbl...
> Hi Peter, there is a Guest account (as expected) and it is disabled (also
as
> expected). Should I delete it entirely, or is having the guest account
> disabled not enough by itself?
>
> Bill
>
> "Peter Karsai" <peter.karsai@enternet.hu> wrote in message
> news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl...
method.[vbcol=seagreen]
scanner[vbcol=seagreen]
that[vbcol=seagreen]
router,[vbcol=seagreen]
way[vbcol=seagreen]
>
>
| |
| Bill Seymour 2004-09-22, 9:27 pm |
| But if I have two users ('user@domain1.com' & 'user@domain2.com') who have
the same username, how can I setup Windows accounts for them? I'm running
three different domains right now, and anticipate wanting to support email
for more in the future. I've never tried to create a Windows account for a
fully qualified name, I just assumed that wasn't possible...
Bill
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:e46EVk6nEHA.3460@tk2msftngp13.phx.gbl...
>
> "Bill Seymour" <billsey@dsl-only.net> wrote in message
> news:u3aR$m4nEHA.4032@TK2MSFTNGP15.phx.gbl...
>
> OK, the "encrypted file" thing - that's for the POP3 server *only* (as far
> as I remember - I'll look into this for you). It's not something that
> users can use to authenticate to the SMTP service to relay mail. To use
> the "allow computers who authenticate to relay" option (again, as far as I
> can remember - I could be wrong here), the user will need a Windows
> account, and use that username/password to authenticate to the SMTP
> server. If you enable Basic Auth here, then you should consider using TLS
> to ensure that the credentials are encrypted between user and server.
>
> Cheers
> Ken
| |
| Ken Schaefer 2004-09-22, 9:27 pm |
| Hi,
Personally I would recommend using a 3rd party mail server :-)
www.mailenable.com is pretty well featured (even the free version), and I've
found it rock solid.
However, if you want to continue using the Windows 2003 SMTP/POP3 server
then:
a) you can (usually) create any arbitary Windows account you want. However,
as you point out, you can't create them both as "user".
b) In the user's email client there are usually places to enter both a
username/password to collect mail (POP3) -and- a separate place to specify
user account settings to authenticate to send mail (SMTP).
My ISP has a single username/password that all users use to send mail, but
we each have a separate username/password to collect our individual mail (I
don't know if that's the most secure way to setting things up though!). So,
usernames to send mail are not tied to the user's mailbox name per se.
To see this, have a look in Outlook Express. Goto the properties of your
mail account. On the "servers" tab, there is an option to enter your mailbox
name + password. There is also a checkbox for "my outgoing mailserver
requires authentication". You can select that, and enter alternate
credentials to be used for sending mail.
Cheers
Ken
"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:%235eM0v$nEHA.324@TK2MSFTNGP11.phx.gbl...
> But if I have two users ('user@domain1.com' & 'user@domain2.com') who have
> the same username, how can I setup Windows accounts for them? I'm running
> three different domains right now, and anticipate wanting to support email
> for more in the future. I've never tried to create a Windows account for
> a fully qualified name, I just assumed that wasn't possible...
>
> Bill
>
> "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
> news:e46EVk6nEHA.3460@tk2msftngp13.phx.gbl...
>
>
| |
| Frank Hellmann 2004-09-23, 5:54 pm |
| You need a decent AntiSPAM Solution which is able
- to reject SPAM
- to reject everything with non existing recipients
- check SPF
- reject NDR's (not RFC compliant - but helps a lot)
You could check www.aloaha.com or www.vamsoft.org
FH
"Bill Seymour" <billsey@dsl-only.net> schrieb im Newsbeitrag
news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I'm running the POP3/SMTP package that comes with Windows 2003 Server.
I've
> got it setup with about ten or twenty user accounts in three different
> domains. Authentication is done with the encrypted password file method.
> The SMTP server is configured to allow relay for authenticated users only.
> I installed a server level virus package this weekend and noticed today
that
> the system was pulled to it's knees by something (quad Xeon P3s with a bit
> more than a gig of ram). On checking, I find that there are something
like
> 26,000 messages queued up for transmit and my System logfile is full. I'm
> thinking the bogged down portion of my problem is just the virus scanner
> doing it's job of checking all these messages for viruses. The fact that
> there are so many messages to check, however, is a different problem.
> Anyone have ideas on how I was hijacked to relay all this SPAM? And, more
> importantly, how to fix it? For now, I've just disconnected the router,
but
> that makes it a little tough for legitimate users to do their thing...
> (When I just shut the SMTP and POP3 services down, I was still seeing way
> too many incoming message requests on my sniffer.)
>
> Bill
>
>
| |
| Ken Schaefer 2004-09-23, 5:54 pm |
| Uh, do you even read the thread? He's being used as a 3rd party relay (ie an
open relay)...
Cheers
Ken
"Frank Hellmann" <frank.hellmann@aloaha.com> wrote in message
news:OhvkDyboEHA.648@tk2msftngp13.phx.gbl...
> You need a decent AntiSPAM Solution which is able
>
> - to reject SPAM
> - to reject everything with non existing recipients
> - check SPF
> - reject NDR's (not RFC compliant - but helps a lot)
>
> You could check www.aloaha.com or www.vamsoft.org
>
> FH
>
>
> "Bill Seymour" <billsey@dsl-only.net> schrieb im Newsbeitrag
> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I've
> that
> like
> but
>
>
| |
| Peter Karsai 2004-09-24, 2:50 am |
| Hi Frank,
Just a little fix, our site URL is http://www.vamsoft.com/orf BTW I agree
with Ken, the relaying issue should be fixed in the server/domain
configuration.
Peter
"Frank Hellmann" <frank.hellmann@aloaha.com> wrote in message
news:OhvkDyboEHA.648@tk2msftngp13.phx.gbl...
> You need a decent AntiSPAM Solution which is able
>
> - to reject SPAM
> - to reject everything with non existing recipients
> - check SPF
> - reject NDR's (not RFC compliant - but helps a lot)
>
> You could check www.aloaha.com or www.vamsoft.org
>
> FH
>
>
> "Bill Seymour" <billsey@dsl-only.net> schrieb im Newsbeitrag
> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I've
method.[vbcol=seagreen]
only.[vbcol=seagreen]
> that
bit[vbcol=seagreen]
> like
I'm[vbcol=seagreen]
that[vbcol=seagreen]
more[vbcol=seagreen]
> but
way[vbcol=seagreen]
>
>
| |
| Travis Lingenfelder 2004-10-02, 9:07 pm |
| I found a similar problem, not quite 26,000 messages though. I found a very
good solution. Instead of my server checking every message for viruses and
spam (yes, I still have an anti-virus solution running on my server), I
outsourced it to emailsifter (www.emailsifter.com) a service of ipop.com.
You route all of you mail through emailsifters servers so that they do all of
the virus checking and spam filtering before a message ever hits your
network. After checking the messages, clean mail is then routed to your
in-house mail server and distributed to the appropriate mailboxes.
What I found was that a lot of spammers where not using the DNS MX records
to send mail to my users. They were sending mail directly to my users through
my mail server, no matter what the MX records were. If the user did not
exist, it was just filling up the badmail queue and the drop queue to send a
bounce message back to the non-existant spammer.
I then set up an IPsec policy that only allowed incomming mail connections
from the subnets of the 3 emailsifter data centers. This guarentees that all
incomming email is filtered using the emailsifter servers (which all genuine
mail should be comming through) since my MX records point to emailsifters
data centers and not my in-house server.
Travis Lingenfelder
"Bill Seymour" wrote:
> I'm running the POP3/SMTP package that comes with Windows 2003 Server. I've
> got it setup with about ten or twenty user accounts in three different
> domains. Authentication is done with the encrypted password file method.
> The SMTP server is configured to allow relay for authenticated users only.
> I installed a server level virus package this weekend and noticed today that
> the system was pulled to it's knees by something (quad Xeon P3s with a bit
> more than a gig of ram). On checking, I find that there are something like
> 26,000 messages queued up for transmit and my System logfile is full. I'm
> thinking the bogged down portion of my problem is just the virus scanner
> doing it's job of checking all these messages for viruses. The fact that
> there are so many messages to check, however, is a different problem.
> Anyone have ideas on how I was hijacked to relay all this SPAM? And, more
> importantly, how to fix it? For now, I've just disconnected the router, but
> that makes it a little tough for legitimate users to do their thing...
> (When I just shut the SMTP and POP3 services down, I was still seeing way
> too many incoming message requests on my sniffer.)
>
> Bill
>
>
>
| |
|
| Hello, I've been following this thread since the beginning, I found it very
helpful, thanks everyone.
I found very interesting post from Ken (9/22/04):
"Personally I would recommend using a 3rd party mail server :-)
www.mailenable.com is pretty well featured (even the free version), and I've
found it rock solid."
I have a computer running three different servers: web (Fastream NFServer),
mail (MDaemon), and FTP (Serv-U). They all run without any problem. Few days
ago I installed Win2k3 enterprise edition (trial) because current webserver
from Fastream doesnot support .asp. I wanted to use .asp ONLY for simple
"mail form", nothing fancy. First few hours of playing around, I manage to
run the IIS web server without any problem. The POP3/SMTP server is
different. I decided to keep mycurrent mailserver and use only the IIS
webserver.
From a short playing around, I still could not send the mail form, perhaps I
need to tweak the .asp file or something. I did disable my current mailserver
and enable IIS SMTP virtual server.
Anyway, now the question: Is it possible to run both IIS webserver and 3rd
party mail server together, and still use the .asp for sending "mail form"?
How do I set them up? I understand that the SMTP virtual server is needed to
send the asp script form, so I should not disable it, right? But the problem
is, my current mailserver already occupied port 25. Will it work if I change
the SMTP virtual server to different port, say 26? Or is there anyway that
the asp mail form will be send through 3rd party mail server instead of IIS?
Second question: I have a linksys router, do I need also to open port 26 in
my router setu? I wanted to minimize open ports.
Thanks in advance for any respond.
| |
| Ken Schaefer 2004-10-10, 8:48 pm |
| Hi,
I have used IIS Webserver (and ASP) with 3rd party mailserver.
HOWEVER
You will see a lot of CDONTS code on the web. CDONTS doesn't use TCP sockets
to send mail. Instead it creates a text file and drops it into the "drop"
folder of the MS SMTP server. So, to use CDONTS code you must be running MS
SMTP server (you can run this on port 26 if you want).
Otherwise, if you use any component that does sockets based sending (eg
JMail from www.dimac.net) or CDOSYS (you should also have that on your IIS
box), then you can have the server set to "localhost" and port 25, and you
can use any 3rd party mailserver. Just make sure the relay settings are set
correctly so that localhost can relay.
Cheers
Ken
"zevia" <zevia@discussions.microsoft.com> wrote in message
news:6371F638-87FF-4626-B089-F39CC2C1821C@microsoft.com...
> Hello, I've been following this thread since the beginning, I found it
> very
> helpful, thanks everyone.
>
> I found very interesting post from Ken (9/22/04):
> "Personally I would recommend using a 3rd party mail server :-)
> www.mailenable.com is pretty well featured (even the free version), and
> I've
> found it rock solid."
>
> I have a computer running three different servers: web (Fastream
> NFServer),
> mail (MDaemon), and FTP (Serv-U). They all run without any problem. Few
> days
> ago I installed Win2k3 enterprise edition (trial) because current
> webserver
> from Fastream doesnot support .asp. I wanted to use .asp ONLY for simple
> "mail form", nothing fancy. First few hours of playing around, I manage to
> run the IIS web server without any problem. The POP3/SMTP server is
> different. I decided to keep mycurrent mailserver and use only the IIS
> webserver.
>
> From a short playing around, I still could not send the mail form, perhaps
> I
> need to tweak the .asp file or something. I did disable my current
> mailserver
> and enable IIS SMTP virtual server.
>
> Anyway, now the question: Is it possible to run both IIS webserver and 3rd
> party mail server together, and still use the .asp for sending "mail
> form"?
> How do I set them up? I understand that the SMTP virtual server is needed
> to
> send the asp script form, so I should not disable it, right? But the
> problem
> is, my current mailserver already occupied port 25. Will it work if I
> change
> the SMTP virtual server to different port, say 26? Or is there anyway that
> the asp mail form will be send through 3rd party mail server instead of
> IIS?
>
> Second question: I have a linksys router, do I need also to open port 26
> in
> my router setu? I wanted to minimize open ports.
>
> Thanks in advance for any respond.
>
| |
| danowoz 2004-11-13, 7:46 am |
| This thread has been a huge help to me, setting up SMTP relay. I have found
that when using "Secure Password file Integration" for POP3, the easiest way
to allow users to realy through SMTP is to reat up windows account that is
used soley for this purpose, this seams to work fine.. but I was wondering
how the 3rd party mail server form www.mailenable.com solves the problem of
SMTP relay while using Secure Password file Authentication?
|
|
|
|
|