I would like to preface this by saying that this is not solely firewall
related and I apologize. I do not know of any lists that deal directly with
general security problems. The problem we are having is with SPAM mail and
if you look below I will give you the specs. Any help would be much
appreciated.
1) Environment:
NT Server SP6a
Exchange Server 5.5 SP3
Firewall
IDS System
Mail Relay System
2)Spam Mail:
a) Constant connection from badhost1 to our Mail Server on Port 25
b) Several unknown host relay through badhost1.com to our Mail Server.
c) Our DMZ mail relay host is set to disallow relaying, our internal mail
only relays to our relay host.
d) Our firewall is set to allow inbound SMTP connections to the relay host.
e) All malicious mail is addressed at *@ourdomain.com.
f) Our outbound mail queue is flooded by outbound emails addressed to
*@ourdomain.com.
g) If we block the badhost1.com in our firewall or IDS system all malicious
email traffic stops.
h) If seems to be triggered by an email sent by find@badhost*.com
Conclusion:
a) Is there anybody out there that has had an experience like this before?
b) We have contacted the owner of the badhost1 they supposedly turned off
relaying.
c) Why would our mail system start sending out traffic?
Please forgive me if this is a little bleak on content feel free to ask more
questions.
Thank You,
Lee Christie (CCSA)
Security Engineer
CorpNet Security
-----------------------------------------------------------------------
NOTICE: CONFIDENTIAL COMMUNICATION
This e-mail message and any accompanying files may contain information
that is confidential and subject to privilege. If you are not the
intended recipient, and have received the e-mail in error, you are
notified that any use, dissemination, distribution, forwarding, printing
or copying of the message and any attached files is strictly prohibited.
If you have received this e-mail message in error please immediately
advise the sender by return e-mail, or telephone, listed below. You
must destroy the original transmission and its contents. Any views
expressed within this communication are those of the individual sender,
except where the sender specifically states them to be the views of
CorpNet Security. This communication should not be copied or
disseminated without permission.
--------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
