WinGate Forums

WinGate Proxy Server and other Qbik products

Skip to content

Switch to mobile style

Port 25 are being abused by Spammers (Relays)

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

Post a reply

Port 25 are being abused by Spammers (Relays)

Postby neujron » Nov 26 04 5:18 pm

Hello Support!

This is our problem, Our mail server is being used for relay eventhough we have enabled already the security settings for not relaying and this setup was already in place before and nothing has changed since we move to a new machine. Take note that we are not using the POP3/SMTP feature of Wingate because of our license and we have different mail server software. Yesterday we are already blacklisted by DSBL.ORG and we have some issues right now and this may not concern you. I talked already to our ISP regarding removal because of PTR/Reverse lookup problem. Also take note that this has never happen before.

Our concern is, on the Client Activity window of Gatekeeper, we can see the actual session being done by these spammers/relayers and we can't block them or deny their access. I tried banning their IP and their server name but to no avail. They can still use our server for their bad and irritable activities.

Sample of the acitivity looks like this:

dsl-ams-178.megaprovider.nl (---> this is the connecting server/machine)
SSL://207.50.225.34:25
SSL://203.17.176.235:25
SSL://199.159.26.9:25
SSL://12.34.166.35:25
SSL://204.118.6.8:25

And there are so many others like this which we can't control. We cannot block Port 25 because we are using it also for our mail server.

What are we going to do? Please help, we need to put our mail and wingate server back to normal, the way it was. Thanks in advance.
neujron
 
Posts: 76
Joined: Jul 27 04 4:19 pm
Top

Postby Pascal » Nov 26 04 5:22 pm

Run this command line:

"netstat -an | more"

It will give you output like:

buttercup wrote:C:\Documents and Settings\pascalv>netstat -an | more

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2714 127.0.0.1:2715 ESTABLISHED
TCP 127.0.0.1:2715 127.0.0.1:2714 ESTABLISHED
TCP 127.0.0.1:4682 127.0.0.1:4683 ESTABLISHED
TCP 127.0.0.1:4683 127.0.0.1:4682 ESTABLISHED
TCP 192.168.0.67:139 0.0.0.0:0 LISTENING
TCP 192.168.0.67:1731 192.168.0.98:139 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1092 *:*
UDP 0.0.0.0:1093 *:*
UDP 0.0.0.0:1327 *:*


That tells us what is listening on your machine. I assume that your existing mail server has all the appropriate configuration done on it's side to be safe and secure. However, I'm concerned that one of your other services might be bound externally, which could cause this to happen.

So, make sure that you have only essential services bound externally and that those that are bound are properly authenticated. (Or protected through authentication where possible)

Fro mthe look of it, your web-proxy might be bound externally.
Pascal

Qbik New Zealand
pascalv@qbik.com
http://www.qbik.com
Pascal
Qbik Staff
 
Posts: 2623
Joined: Sep 08 03 8:19 pm
Location: Auckland, New Zealand
Top

Postby neujron » Nov 26 04 5:49 pm

Thanks Pascal for your help, I think that have done it for Wingate. I removed the LAN External binding now those bastards are gone! It totally didn't come to my mind what happened and what have been done. My mistake.

Now our problem is our mail server, I think it's minimized but we'll have to work on it on our own step by step.

Thanks for the great support! Best regards.
neujron
 
Posts: 76
Joined: Jul 27 04 4:19 pm
Top
Post a reply

Return to WinGate

Who is online

Users browsing this forum: No registered users and 4 guests

Switch to mobile style
Powered by phpBB® Forum Software © phpBB Group