Click here to get back home

Disinfecting Win2kAS Spam Zombie
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Disinfecting Win2kAS Spam Zombie zupac1@gmail.com 12-12-2005
Get Chitika Premium
Posted by zupac1@gmail.com on December 12, 2005, 4:47 am
Please log in for more thread options
 Hello,

I have recently discovered that one of our servers has been
compromised and is attempting to send large amounts of spam by relaying
messages through this machine. Here is a sample notification I receive
in the postmaster account.

| Your message cannot be delivered to the following recipients:
|
| Original address: gawtnvotmgrgq@<domain>
| Reason: Remote SMTP server has rejected address
| Diagnostic code: smtp;550 5.7.1
| Remote system: dns;<domain> (<domain> ESMTP Sendmail
8.12.9/8.12.9/ARL/LRL; Mon, 12 Dec 2005 04:04:39 -0500 [EST])


When I go to DNSgoodies.com and check the Openrelay test, I receive
the message:
| Good News!
| All tests for an open relay on your mail server failed.
| Your mail server does not allow open relay.

I have the latest Windows patches and have scanned the server for
viruses in safe mode, using up-to-date definitions. That doesn't seem
to catch any infections. Any more suggestions? Has anybody
sucessfully disinfected a zombie machine? Formatting is not an option.

Thanks,
Zu


Posted by zaher.alidib on December 17, 2005, 8:06 am
Please log in for more thread options
 Anybody have any suggestions? I would hate to be a facilitator of
spam, and it seems to be trying to send to all addresses, from a-z,
@hotmail.com, @nate.com, and @hanmail.net so far... I don't know who
may be next. It could be you!

Please help...


Posted by Dave on December 17, 2005, 11:09 am
Please log in for more thread options
are you really sure you are sending them and just not the target of a faked
return/reply-to address?? if all you are getting is bounces it may be that
someone is sending spam elsewhere and putting your return address on them so
that you get the bounces. if nothing else use netstat and monitor for
connections going out to smtp ports elsewhere then find the pid and get the
image from that.

> Anybody have any suggestions? I would hate to be a facilitator of
> spam, and it seems to be trying to send to all addresses, from a-z,
> @hotmail.com, @nate.com, and @hanmail.net so far... I don't know who
> may be next. It could be you!
>
> Please help...
>



Similar ThreadsPosted
Exploit in IIS to send spam? January 5, 2006, 12:02 pm
POP3 Spam with server name October 25, 2006, 8:59 pm
Spam monitoring yahoo details June 24, 2005, 12:27 pm
Clustered Exchange AV + SPAM tools January 19, 2007, 11:03 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap