Announcement

Collapse
No announcement yet.

Rougue Spammer on my network

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rougue Spammer on my network

    I am trying to find a rogue spammer on my network. I have a Cisco PIX 506e, a Windows 2003 SBS w/ SP2 installed and running Symantec Corp 10.1.7. We don't have a wireless network. I have run network wide virus scans. I wanted to log the PIX but I am not sure if they are sending out via my mail server or a Trojan.

    Previously the mail server was configured as a open relay (with a Barracuda in front of it), but I have since closed that. We switched them from a Barracuda to MX Logic filtering service. Once I added the outbound smart host we were banned for outgoing mail. I found like 500k messages in the server queue. I deleted all messages and closed the open relay. I took away the smart host since we were banned so we could still send outgoing email. Once I was able to prove to MX Logic that our server was configured as a open relay (which we resolved) they reinstated the outbound service. Within hours of this they blocked us once again for spam. The odd thing is, we never re-added the smart host back into Exchange. MX Logic suggests a host may have cached this.

    I am truly stumped. I have to prove to them I found a source before reinstatement. Any suggestions?
    Be easy on me, I'm here to learn

  • #2
    Re: Rougue Spammer on my network

    Can you not look at the open connections on the PIX firewall for port 25???

    Sending mail should go out via this port.

    How many clients do you have???

    Is your exchange server still an open relay??? I would stop this ASAP if i were you.

    Try reading through this from our MOD Sembee http://www.amset.info/exchange/spam-cleanup.asp

    Comment


    • #3
      Re: Rougue Spammer on my network

      What rules do you have setup on the PIX for SMTP?
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: Rougue Spammer on my network

        Your Exchange server should be the only host allowed to use port 25 incoming and outgoing on your PIX. That should eliminate quiet a few problems.
        MCITP:SA, MCSA 2003, MCP, CCNA, A+, Net+, Security+

        Comment


        • #5
          Re: Rougue Spammer on my network

          Agreed. brcmadmin, can you post the config as we can help you alter it. Make sure you change any identifiable entries though.
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment

          Working...
          X