Port 25 are being abused by Spammers (Relays)

WinGate Proxy Server and other Qbik products

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems
Post a reply
neujron
  • neujron
  • Posts: 76
  • Joined: Jul 27 04 4:19 pm

Port 25 are being abused by Spammers (Relays)

Nov 26 04 5:18 pm

Hello Support!

This is our problem, Our mail server is being used for relay eventhough we have enabled already the security settings for not relaying and this setup was already in place before and nothing has changed since we move to a new machine. Take note that we are not using the POP3/SMTP feature of Wingate because of our license and we have different mail server software. Yesterday we are already blacklisted by DSBL.ORG and we have some issues right now and this may not concern you. I talked already to our ISP regarding removal because of PTR/Reverse lookup problem. Also take note that this has never happen before.

Our concern is, on the Client Activity window of Gatekeeper, we can see the actual session being done by these spammers/relayers and we can't block them or deny their access. I tried banning their IP and their server name but to no avail. They can still use our server for their bad and irritable activities.

Sample of the acitivity looks like this:

dsl-ams-178.megaprovider.nl (---> this is the connecting server/machine)
SSL://207.50.225.34:25
SSL://203.17.176.235:25
SSL://199.159.26.9:25
SSL://12.34.166.35:25
SSL://204.118.6.8:25

And there are so many others like this which we can't control. We cannot block Port 25 because we are using it also for our mail server.

What are we going to do? Please help, we need to put our mail and wingate server back to normal, the way it was. Thanks in advance.
Pascal
  • Pascal
  • Posts: 2623
  • Joined: Sep 08 03 8:19 pm
  • Location: Auckland, New Zealand
  • Website

Nov 26 04 5:22 pm

Run this command line:

"netstat -an | more"

It will give you output like:

buttercup wrote:C:\Documents and Settings\pascalv>netstat -an | more

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:2714 127.0.0.1:2715 ESTABLISHED
TCP 127.0.0.1:2715 127.0.0.1:2714 ESTABLISHED
TCP 127.0.0.1:4682 127.0.0.1:4683 ESTABLISHED
TCP 127.0.0.1:4683 127.0.0.1:4682 ESTABLISHED
TCP 192.168.0.67:139 0.0.0.0:0 LISTENING
TCP 192.168.0.67:1731 192.168.0.98:139 ESTABLISHED
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1092 *:*
UDP 0.0.0.0:1093 *:*
UDP 0.0.0.0:1327 *:*


That tells us what is listening on your machine. I assume that your existing mail server has all the appropriate configuration done on it's side to be safe and secure. However, I'm concerned that one of your other services might be bound externally, which could cause this to happen.

So, make sure that you have only essential services bound externally and that those that are bound are properly authenticated. (Or protected through authentication where possible)

Fro mthe look of it, your web-proxy might be bound externally.
neujron
  • neujron
  • Posts: 76
  • Joined: Jul 27 04 4:19 pm

Nov 26 04 5:49 pm

Thanks Pascal for your help, I think that have done it for Wingate. I removed the LAN External binding now those bastards are gone! It totally didn't come to my mind what happened and what have been done. My mistake.

Now our problem is our mail server, I think it's minimized but we'll have to work on it on our own step by step.

Thanks for the great support! Best regards.
Post a reply
Switch to full style

Powered by phpBB © phpBB Group.

phpBB Mobile / SEO by Artodia.

Board index