Security Basics mailing list archives
Need your help!!!
From: chang zhu <cyz2000 () yahoo com>
Date: Sat, 20 Sep 2003 08:19:39 -0700 (PDT)
Hi, all Some people connect to my exchange 2000 server every day and sent all spams out. When I go to current sessions under SMTP protols and default SMTP virtual server from exchange system manager, I can see these people's connections and IP address (no domain name shown up and only fake name and IP shows). I do not know how to block them. This is exchange 2000 server with SP3 and behind PIX firewall. We only open port 25, 443 and 80 for this exch 2k server on PIX. MX reocrd points to this server. If I use NMAP to scan this box internally, here are ports open: 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 119/tcp open nntp 135/tcp open loc-srv 139/tcp open netbios-ssn 143/tcp open imap2 443/tcp open https 445/tcp open microsoft-ds 563/tcp open snews 593/tcp open http-rpc-epmap 691/tcp open resvc 993/tcp open imaps 995/tcp open pop3s 3372/tcp open msdtc 3389/tcp open ms-term-serv 6000/tcp open X11 6001/tcp open X11:1 6003/tcp open X11:3 6005/tcp open X11:5 7001/tcp open afs3-callback 8081/tcp open blackice-icecap x11? When I do netstat -na, the followings shown on the part of result; TCP 127.0.0.1:25 127.0.0.1:54441 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54898 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54904 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54914 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54916 TIME_WAIT TCP 127.0.0.1:25 127.0.0.1:54988 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54433 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54434 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54442 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54443 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54444 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54445 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54446 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54454 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54890 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54893 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54903 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54911 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54913 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54915 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54917 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54918 TIME_WAIT TCP 127.0.0.2:25 127.0.0.2:54919 TIME_WAIT TCP 127.0.0.100:25 127.0.0.100:54905 TIME_WAIT TCP 127.0.0.100:25 127.0.0.100:54912 TIME_WAIT TCP 127.0.1.50:25 127.0.1.50:54456 TIME_WAIT THis server is not an open relay server and how spammers can connect this server to send all spams out from different domain address? Due to limited experience, I am not able to tackle it down. Many anti-spam company put our sever on their lists. I ask them to send me report that indicated all spams truly went out through my server from mail header info. I need to resolve this ASAP and any suggestion or solutions will be greatly appreciated. Thanks for all your attention and help, Chang __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
- RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)
- Re: Need your help!!! Birl (Sep 22)