virus or mail relay ?

Mike · Oct 17, 2003

Hi,

In the last few days I have enabled the smtp server in Win XP. A little
while after I started sending multiple outbound emails (large numbers
simultaneously) which I handn't authored. I knew they were going out
because I have norton AV (fully updated) scan all outbound emails. I have
blocked port 25 via norton firewall and the rule is now being fired
regularily (sometimes 10/15 times a second).

I have done a full system scan which detects no viruses. In the SMTP server
settings I have
IP Address: my ip (as opposed to "all unassigned")
Connection: "only the list below": my ip
Relay: "only the list below":my ip + Allow all computers which successfully
authenticate regardless of the list above: UNCHECKED

What is going on here ? I have a logfile of the connections: here is a
small sample:

00:36:23 mail.sayhi.net EHLO - 0
00:36:23 mail.sayhi.net - - 0
00:36:23 mail.sayhi.net MAIL - 0
00:36:23 mail.sayhi.net - - 0
00:36:23 mail.sayhi.net RCPT - 0
00:36:23 - - - 0
00:36:23 msr21.hinet.net EHLO - 0
00:36:23 mail.sayhi.net - - 0
00:36:23 mail.sayhi.net DATA - 0
00:36:25 msr21.hinet.net - - 0
00:36:25 msr21.hinet.net MAIL - 0
00:36:25 mail.sayhi.net - - 0
00:36:25 msr21.hinet.net - - 0
00:36:25 msr21.hinet.net RCPT - 0
00:36:25 mail.sayhi.net - - 0
00:36:25 mail.sayhi.net QUIT - 0
00:36:25 mail.sayhi.net - - 0
00:36:28 - - - 0
00:36:28 mail.jy.js.cn EHLO - 0
00:36:28 mail.jy.js.cn - - 0
00:36:28 mail.jy.js.cn MAIL - 0
00:36:28 mail.jy.js.cn - - 0
00:36:28 mail.jy.js.cn RCPT - 0
00:36:29 mail.jy.js.cn - - 0

Have I just got the smtp server incorrectly configured, or is this likely to
be a virus ?

Having looked some of the rejected emails in mailroot\badmail

they have

X-Mailer:Microsoft Outlook Express 6.00.2462.0000

X-MimeOLE

roduced By Mircosoft MimeOLE V6.00.2600.0000

There were loads of messages queued. I shut down smtp, deleted them all,
restarted smtp and they fill straight back up.

I don't use outlook express for emails, but about the same time this problem
started occuring I loaded outlook up to post to newsgroups .......

please help !

Mike

rpaco · Oct 17, 2003

Sounds as if your relay is being hijacked.
You need a Firewall. I use Zone Alarm from http://www.zonelabs.com/ it's
free, works well and is easily understood. You can stop both in and outward
transactions.
There is also Agnitum Outpost, but it's too fussy for me although I am told
it's technically brilliant.
cheers

Buffalo · Oct 17, 2003

Look into these free and informative programs:
Dl,install,UPDATE and then run:

AdAware
http://www.lavasoftusa.com/

Spybot Search & Destroy
http://security.kolla.de/

Also try this one:

HijackThis
http://www.tomcoyote.org/hjt/

Gabriele Neukam · Oct 17, 2003

On that special day, Mike, ([email protected]) said...

00:36:28 mail.jy.js.cn EHLO - 0
00:36:28 mail.jy.js.cn - - 0
00:36:28 mail.jy.js.cn MAIL - 0
00:36:28 mail.jy.js.cn - - 0
00:36:28 mail.jy.js.cn RCPT - 0
00:36:29 mail.jy.js.cn - - 0

Have I just got the smtp server incorrectly configured, or is this likely to
be a virus ?

The former. Look at the HELOs, they are definitely chinese. You are a
perfect open relay for a chinese spammer. If you don't know how to keep
external mailing machines out of your SMTP server, better don't run any.

Gabriele Neukam

(e-mail address removed)

Mike · Oct 18, 2003

Hi,

I am running Norton firewall - (as I said earlier) with port 25 blocked. I
normally have the smtp server stopped, but for the next two weeks need it
running .... after that it will be shutdown again. But a lot of spam can be
sent in two weeks - so please help (I get enough of the damn stuff myself &
was getting about 50-100 Swens per day a couple of weeks ago - managed to
catch 'em all though)!

A couple of weeks ago I installed Spybot S&D & Browser Hijack Blaster. The
former discovered various things, most without explanations which I left
alone. I did remove
Gator and VX2/? and VX2/f

So I would be grateful if someone can enlighten me on how I can secure the
smtp server so it is not a relay - I listed the settings I currently have in
the earlier post. I do need it running for a short while.

thanks

Mike

mzlindyone · Oct 18, 2003

In the last few days I have enabled the smtp server in Win XP. A little
while after I started sending multiple outbound emails (large numbers
simultaneously) which I handn't authored. I knew they were going out
because I have norton AV (fully updated) scan all outbound emails. I have
blocked port 25 via norton firewall and the rule is now being fired
regularily (sometimes 10/15 times a second).

I have done a full system scan which detects no viruses. In the SMTP server
settings I have
IP Address: my ip (as opposed to "all unassigned")
Connection: "only the list below": my ip
Relay: "only the list below":my ip + Allow all computers which successfully
authenticate regardless of the list above: UNCHECKED

What is going on here ? I have a logfile of the connections: here is a
small sample:

00:36:23 mail.sayhi.net EHLO - 0
00:36:23 mail.sayhi.net - - 0
00:36:23 mail.sayhi.net MAIL - 0
00:36:23 mail.sayhi.net - - 0
00:36:23 mail.sayhi.net RCPT - 0
00:36:23 - - - 0
00:36:23 msr21.hinet.net EHLO - 0
00:36:23 mail.sayhi.net - - 0
00:36:23 mail.sayhi.net DATA - 0
00:36:25 msr21.hinet.net - - 0
00:36:25 msr21.hinet.net MAIL - 0
00:36:25 mail.sayhi.net - - 0
00:36:25 msr21.hinet.net - - 0
00:36:25 msr21.hinet.net RCPT - 0
00:36:25 mail.sayhi.net - - 0
00:36:25 mail.sayhi.net QUIT - 0
00:36:25 mail.sayhi.net - - 0
00:36:28 - - - 0
00:36:28 mail.jy.js.cn EHLO - 0
00:36:28 mail.jy.js.cn - - 0
00:36:28 mail.jy.js.cn MAIL - 0
00:36:28 mail.jy.js.cn - - 0
00:36:28 mail.jy.js.cn RCPT - 0
00:36:29 mail.jy.js.cn - - 0

Have I just got the smtp server incorrectly configured, or is this likely to
be a virus ?

Having looked some of the rejected emails in mailroot\badmail

they have

X-Mailer:Microsoft Outlook Express 6.00.2462.0000

X-MimeOLEroduced By Mircosoft MimeOLE V6.00.2600.0000

There were loads of messages queued. I shut down smtp, deleted them all,
restarted smtp and they fill straight back up.

I don't use outlook express for emails, but about the same time this problem
started occuring I loaded outlook up to post to newsgroups .......

please help !

There is nothing here that indicates incoming or outgoing, except for
the fact that I can't see why sayhi.net and hinet.net *servers* would
be trying to relay through you. Given that at least two of these are
well-known open proxies, evidently being used by some worm as they are
showing up on posted virus detection lists as well as spam block
lists, I think you should assume outgoing and therefore *worm*.

Okay so Norton is fully updated, is it scanning all files? Is
heuristics on? If so and you're still getting no detection, try
another scanner and/or manual detection.
http://service1.symantec.com/SUPPOR...335f85954da8eba788256a6300008a2f?OpenDocument

Carol

Mike · Oct 18, 2003

Hi

There is nothing here that indicates incoming or outgoing, except for
the fact that I can't see why sayhi.net and hinet.net *servers* would
be trying to relay through you. Given that at least two of these are
well-known open proxies, evidently being used by some worm as they are
showing up on posted virus detection lists as well as spam block
lists, I think you should assume outgoing and therefore *worm*.

Okay so Norton is fully updated, is it scanning all files? Is

"Comprehensive scanning": enabled
"Bloodhound heuristics" on: default level of protection
"Enable script blocking": on
"Enable worm blocking": on

http://service1.symantec.com/SUPPORT/nav.nsf/b69c799adfa31ecc85256aa30052f4d
0/335f85954da8eba788256a6300008a2f?OpenDocument

Will try this, thanks

Mike

Mike · Oct 19, 2003

Okay so Norton is fully updated, is it scanning all files? Is

heuristics on? If so and you're still getting no detection, try
another scanner and/or manual detection.

http://service1.symantec.com/SUPPORT/nav.nsf/b69c799adfa31ecc85256aa30052f4d
0/335f85954da8eba788256a6300008a2f?OpenDocument

I looked at the suggested keys, but found nothing suspicious.

M

rpaco · Oct 20, 2003

If you install Zone alarm or Outpost you can see what process is initiating
the outgoing traffic and stop it!
You need a firewall to fix this not an anti-virus prog.! (Ok so it might
find the trojan, but it's obviously not working) At the moment you are still
looking for a burglar who has a key, instead of changing the lock!

Mike · Oct 20, 2003

Hi,

rpaco said:
If you install Zone alarm or Outpost you can see what process is initiating
the outgoing traffic and stop it!

Does norton firewall not do this ? It provides a "manual program control"
list - permittted / prohibited applications. If anything other than in the
list tries to access the internet an alert is generated and you can
approve/deny.

You need a firewall to fix this not an anti-virus prog.! (Ok so it might
find the trojan, but it's obviously not working) At the moment you are still
looking for a burglar who has a key, instead of changing the lock!

One of the alerts is:
Details: Unused port blocking has blocked communications
Inbound TCP connection
Remote address,local service is (xxx.xxx.xxx.xx,smtp(25))

does this not suggest that people are trying to connect on my port25/use my
machine as a relay. If so, and if I want to enable the smtp server and
disable the port 25 firewall block, given the settings I mention above in
the thread, how can I configure it ?

cheer

Mike

rpaco · Oct 21, 2003

He doesn't mention Norton firewall, is it a default installation within
Norton AV?

Mike · Oct 21, 2003

mentioned Norton Firewall in the original post. NAV and NF are both in "N
Internet Security"

M

rpaco · Oct 22, 2003

Your'e right! But it's not working. suggest different firewall.

virus or mail relay ?

Mike

rpaco

Buffalo

Gabriele Neukam

Mike

mzlindyone

Mike

Mike

rpaco

Mike

rpaco

Mike

rpaco