Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: wingman on September 08, 2005, 06:32:18 PM
-
One of my clients is running an SME 6.0.1-01 box in server only mode behind a hardware firewall. It is setup to scan all incoming email for viruses, and spam, uses the rbl contrib as well as the mailfront blocking contrib. After scanning email it is then passed on to an internal Exchange server. All clients use that Exchange server for receiving and sending email. The SME box is not involved in the sending of email, with the exception of sending all approved email on to Exchange.
All of a sudden, mail stopped flowing through SME. The logs showed that it was arriving but never moving through. Further investigation reveals that SME is evidently overloaded by trying to SEND huge amounts of email to a large variety of account names at a domain named "sayclub.com" which appears to be a Korean domain.
I can't determine where this email is coming from other than from the SME server itself.
Has this server been compromised? How do I find and correct the problem.
Please be gentle.... I can follow instructions but sure am no expert.
Thanks,
Joe
-
you should check your internal computers for viruses. I had the same thing happen and it turned out to be an internal computer infected with the sober bug.
Run a check using Panda's online scanner www.pandasoftware.com . Don't rely on your computer's virus scanners, they are easily compromised.
-
you should check your internal computers for viruses. I had the same thing happen and it turned out to be an internal computer infected with the sober bug.
Run a check using Panda's online scanner www.pandasoftware.com . Don't rely on your computer's virus scanners, they are easily compromised.
If it was an internal computer that was sending the huge volume of emai, I would think that the Exchange server would be the one with the problems since it is sending the email out. The SME box only brings mail in, I didn't think that the SMTP logs would show sending activity on it. Am I wrong?
-
Well, I would still check the internal computers for viruses and trojans. Look at one of the outgoing emails and see if you can track the originating computer through the ip address in the header. If it shows a local address, then you have found your culprit.
I suppose someone could have access to the box. If they do it is most likely through a guessed password. You might also want to check to be sure your server isn't acting as a relay.
-
Simular things happened with one of my Linux boxes a while a go. It was a Fedora and not a sme and a Postfix mta and not a Qmail. This vere on a server farm with no windows lan clients, so sometimes it could have other reasones than the internal windows clients. I suspected a missconfigured Postfix mta, but I did never really find out what had happened as all software were reinstalled.
-
Arne,
Looks like that will end up being my solution too. I am planning on doing an total reinstall, but not looking forward to having to reconfigure, setup users and groups again, ibays, mailrules, etc.
Wish there was a better way....
-
Wingman.
Iwould agree with thedude check for viruses on local machines, many viruses have their own SMTP capability so would not need to bother the exchange server, however the transparent email proxy of sme could be trapping the messages on the way out. Are you using CLAMAV and do you scan outgoing messages on SME server, just because your users are not using it for outgoing mail does'nt mean a virus can't.
Regards
Jackl