1
possible exploit or bad configuration
Problem reported by Jason Zornek - August 9, 2014 at 10:17 AM
Submitted
For several months now I have been getting listed on the spamhaus CBL. http://cbl.abuseat.org/lookup.cgi?ip=192.95.21.100
They have be zero helpful in identifying the problem. No replies, no public info, nada. All I could find is that they will often list someone in the cbl if the spam matches a pattern, they do not "test" that it really is a bot infection.
 
Now I am very careful with my mail server. I always patch, the firewall has only the necessary exceptions and I use no pirated software. I am running server 2008r2.
 
I tried every AV possible and eventually came to the conclusion that its some kind of crazy root kit. I did a new OS load from a real, retail store copy of server 2008r2. I did full updates, firewall config, everything before even putting it on a public IP.i let it sit for a few days and ran tcpview and had no problems. So next I installed smartermail and copied over my domains and configs.
 
In less than an hour I was listed on the CBL again.
 
I figured that it must be something with my ISP, or (god forbid) something with my (yes, store bought) copy of windows server. So I tried another copy of windows, different IPs, even a different data center. Same thing. Within a few hours of copying over my domains I get listed in the CBL.
 
Finally, I did yet another clean install and this time used a new domain that had very little public exposure. 3 days and nothing. Now, I added my other domains and yep, I get listed again.
 
all this time I am thoroughly checking my SM logs and never see anything suspicious. The domains are all for businesses that I work for and the employees are not spammers. Their is zero chance anyone is a junk mailer and again, I was watching the logs closely.
 
At this point im starting to think that it is a flaw in SM or my config but still wouldn't this show in the logs if it was relaying mail?
Now I start to use tcpview and processor explorer. I start tracking down anything suspicious and I am seeing connections from china to the web server but not the mail server. So, I delist from the CBL, turn off IIS and wait. Yep, I don't get listed. turn it back on, im listed again in hours.
Next I again delist and  I use the sm built in mail server. So far its been a day and im not listed.
 
So, is it possible something in the IIS pages are vulnerable and relaying mail? Is some kind of resident only worm/bot/whatever executing from something inside IIS and relaying spam? Or have I just been royally screwing up the IIS config each time? running the sm web server is not a long term solution as the response time is pretty bad.
 
please help!
 
-Jason

Reply to Thread