possible exploit or bad configuration
Problem reported by Jason Zornek - August 9, 2014 at 10:17 AM
Submitted
For several months now I have been getting listed on the spamhaus CBL. http://cbl.abuseat.org/lookup.cgi?ip=192.95.21.100
They have be zero helpful in identifying the problem. No replies, no public info, nada. All I could find is that they will often list someone in the cbl if the spam matches a pattern, they do not "test" that it really is a bot infection.
 
Now I am very careful with my mail server. I always patch, the firewall has only the necessary exceptions and I use no pirated software. I am running server 2008r2.
 
I tried every AV possible and eventually came to the conclusion that its some kind of crazy root kit. I did a new OS load from a real, retail store copy of server 2008r2. I did full updates, firewall config, everything before even putting it on a public IP.i let it sit for a few days and ran tcpview and had no problems. So next I installed smartermail and copied over my domains and configs.
 
In less than an hour I was listed on the CBL again.
 
I figured that it must be something with my ISP, or (god forbid) something with my (yes, store bought) copy of windows server. So I tried another copy of windows, different IPs, even a different data center. Same thing. Within a few hours of copying over my domains I get listed in the CBL.
 
Finally, I did yet another clean install and this time used a new domain that had very little public exposure. 3 days and nothing. Now, I added my other domains and yep, I get listed again.
 
all this time I am thoroughly checking my SM logs and never see anything suspicious. The domains are all for businesses that I work for and the employees are not spammers. Their is zero chance anyone is a junk mailer and again, I was watching the logs closely.
 
At this point im starting to think that it is a flaw in SM or my config but still wouldn't this show in the logs if it was relaying mail?
Now I start to use tcpview and processor explorer. I start tracking down anything suspicious and I am seeing connections from china to the web server but not the mail server. So, I delist from the CBL, turn off IIS and wait. Yep, I don't get listed. turn it back on, im listed again in hours.
Next I again delist and  I use the sm built in mail server. So far its been a day and im not listed.
 
So, is it possible something in the IIS pages are vulnerable and relaying mail? Is some kind of resident only worm/bot/whatever executing from something inside IIS and relaying spam? Or have I just been royally screwing up the IIS config each time? running the sm web server is not a long term solution as the response time is pretty bad.
 
please help!
 
-Jason

1 Reply

Reply to Thread
0
Steve Reid Replied
I think you would need to check the IIS logs to see what is going on.

If you are being listed then your server must be sending out emails. Have you watched your spool folder when you add those domains with IIS enabled?

Also ensure your logs are set to detailed.

Reply to Thread