| Server sending mass spam [message #108139] |
Tue, 12 November 2013 12:59  |
jimbo_
Messages: 5
Registered: November 2013
Location: United Kingdom
|
|
|
|
Hi,
We have a MS 2008 R2 Server running Kerio Connect 8.2.0 as our email server. We've recently moved to a FTTP dedicated internet connection and subsequently fitted a new Watchguard firewall.
We have external users which require external email access so have port 25 incoming on the firewall pointing to the email server as required. We are having to monitor the firewall and the email logs constantly as we're having SMTP attacks were the email server is mass sending out spam coming from certain IP addresses. We're then blocking these IP addresses in the firewall when we spot the problem. It's getting as much as 100,000 emails per week if we're missing it.
Kerio is setup so that it requires SMTP authentication to send email. The "active connections" tab does not show the IP addresses that are causing the issue but simply list our public IP address followed by a random port (IP:58403 for instance). Nor does it show the "User" so if it was related to a users password being cracked then I can't see who it is.
It's allowing mail to go out as anything<_at_>ourdomain.com. Which according to the settings, it shouldn't be allowed to do.
Any ideas what we're missing here?
Cheers, Jimbo
|
|
|
|
|
|
|
|
|
|
| Re: Server sending mass spam [message #108154 is a reply to message #108153] |
Tue, 12 November 2013 16:08  |
jimbo_
Messages: 5
Registered: November 2013
Location: United Kingdom
|
|
|
|
Quote:You should not use Network Address Translation when mapping a port from the Internet to your server.
Ok what is your suggestion? Because we have 8 public IP addresses from our Router we need to use SNAT to point the correct port 25 traffic from the internet to our mail server.
Quote:Are you sure these messages go out from your server? Or are they incoming ones?
Well yes it's coming from anything<_at_>ourdomain.com going out to random addresses worldwide. We've been put on Spamhaus list a couple of times so our email reputation is very low. If I look at the message headers they coming from a random IP address then being sent through our server. Like this:
Received: from 107.6.137.138 (our IP)
by mail.ourdomain.com (Kerio Connect 8.2.0);
|
|
|
|
|
|
| Re: Server sending mass spam [message #108156 is a reply to message #108155] |
Tue, 12 November 2013 16:37 |
jimbo_
Messages: 5
Registered: November 2013
Location: United Kingdom
|
|
|
|
|
Yes the main IP address is in that group. I see what you mean. I can't point port 25 traffic to the mail server without using SNAT though on the Watchguard
|
|
|
|
| Re: Server sending mass spam [message #108157 is a reply to message #108156] |
Tue, 12 November 2013 16:46 |
jimbo_
Messages: 5
Registered: November 2013
Location: United Kingdom
|
|
|
|
Ah hold fire. I may have worked it out to forward it using SNAT but not to mask the IP address. Doing 2 tests from my gmail on my phone first the header showed our IP in the Recieved: from, second test has gmail's IP address instead. Hopefully this solves the problem.
Thanks
|
|
|
|
Members
Search
Help
Register
Login
Home
