0

we have a Windows 2003 Server using IIS6 for SMTP and Websites. A couple of weeks ago the server started to send out SPAM emails.

I'm trying to figure out how to identify where the SPAM is coming from and of course a way of stopping it but not so sure how to troubleshoot.

Any ideas will be helping me a lot.

Would changing SMTP ports help? I was thinking on block inbound SMTP so it only works from local but of course if the problem is a website sending that won't stop it.

Thanks.

Enabled the Firewall log and this is what I'm getting:

Version: 1.5

Software: Microsoft Windows Firewall

Time Format: Local

Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.37.104 4970 25 - - - - - - - - -

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.54.188.126 4972 25 - - - - - - - - -

2011-07-13 17:03:00 CLOSE TCP 77.68.46.186 65.54.188.94 4958 25 - - - - - - - - -

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.92.184 4975 25 - - - - - - - - -

2011-07-13 17:03:00 DROP TCP 65.55.37.88 77.68.46.186 25 4959 40 AR 1939623047 2961615394 0 - - - RECEIVE

2011-07-13 17:03:00 CLOSE TCP 77.68.46.186 65.55.37.120 4960 25 - - - - - - - - -

2011-07-13 17:03:00 DROP TCP 65.55.37.120 77.68.46.186 25 4960 40 AR 1382203938 774213447 0 - - - RECEIVE

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.92.184 4977 25 - - - - - - - - -

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.37.88 4978 25 - - - - - - - - -

2011-07-13 17:03:01 OPEN TCP 77.68.46.186 65.55.37.104 4982 25 - - - - - - - - -

2011-07-13 17:03:01 CLOSE TCP 77.68.46.186 65.55.92.152 4966 25 - - - - - - - - -

2011-07-13 17:03:01 DROP TCP 65.55.37.72 77.68.46.186 25 4961 40 AR 3341861931 1204012885 0 - - - RECEIVE

2011-07-13 17:03:01 DROP TCP 65.54.188.94 77.68.46.186 25 4962 40 AR 1697379010 1155997716 0 - - - RECEIVE

2011-07-13 17:03:01 CLOSE TCP 77.68.46.186 65.54.188.72 4964 25 - - - - - - - - -

2011-07-13 17:03:01 DROP TCP 65.54.188.72 77.68.46.186 25 4964 40 AR 2752442853 4065488804 0 - - - RECEIVE

2011-07-13 17:03:01 DROP TCP 65.55.37.72 77.68.46.186 25 4968 40 AR 1360755958 4219846967 0 - - - RECEIVE

2011-07-13 17:03:01 OPEN TCP 77.68.46.186 65.55.92.136 4985 25 - - - - - - - - -

2011-07-13 17:03:01 OPEN TCP 77.68.46.186 65.55.92.152 4986 25 - - - - - - - - -

But cant find the way to find the PID of each of them, added the PID column to the task manager but cant find the PID on the logs

George
  • 1
  • 1
  • 4
  • You say you're using SMTP as Websites. Could you be more specific as to which SMTP server you're running as that would determine how to troubleshoot it and stop it. I'm guessing it's not Exchange, or you would have mentioned that. – Nixphoe Jul 13 '11 at 13:23
  • I would also check for weak service account passwords. That'll get you in trouble every time. – Nixphoe Jul 13 '11 at 13:26
  • We use SMTP from IIS it is not exchange, Default SMTP Virtual Server, I meant to say SMTP AND Websites my mistake :) – George Jul 13 '11 at 13:33

2 Answers2

1

Is the spam coming from an internal host or an external host?

Have you enabled logging on IIS for SMTP? http://support.microsoft.com/kb/303738

1) Check the log.

2) Make sure that you are not an open relay: http://support.microsoft.com/kb/324281

How were you alerted to the spam that was coming from your server?

Consider) Setup Wireshark (no affiliation) on the server and watch port 25 and catch some spammers in the act!

G Koe
  • 323
  • 2
  • 7
  • Not sure how it is being generated, I just suspect it can be some forum being hosted on there, or something like that we have many websites online and many of them with forums like SMF, log was enabled but cant see much there, just added extra fields to log as well, I was alerted because the server company sent us an email complaining, and telling us they may even shut us down if we don't fix it. IIS log are like: Fields: time c-ip cs-method cs-uri-stem sc-status | Data: 09:09:33 209.85.227.27 MAIL - 0 – George Jul 15 '11 at 15:58
0

Turn on the Windows firewall. Block outbound smtp traffic. Check the log as described below:

http://technet.microsoft.com/en-us/library/cc736373%28WS.10%29.aspx

to tie the traffic to a PID (process identifier). Check the program running as that PID as described here:

http://www.mydigitallife.info/how-to-get-and-view-process-identifier-process-id-or-pid-on-windows/

Find that program and kill it.

Dave P
  • 396
  • 1
  • 4
  • ok just did that – George Jul 13 '11 at 16:14
  • #Version: 1.5 #Software: Microsoft Windows Firewall #Time Format: Local #Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path 2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.37.104 4970 25 - - - - - - - - - 2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.54.188.126 4972 25 - - - - - - - - - 2011-07-13 17:03:00 CLOSE TCP 77.68.46.186 65.54.188.94 4958 25 - - - - - - - - - 2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.92.184 4975 25 - - - - - - - - - – George Jul 13 '11 at 16:15
  • hmmm, it doesnt look good as comment will add to the main text, please check there... – George Jul 13 '11 at 16:15