The last couple of days, I notice that our email is being routed to a backup system. We have a primary T1 connection with IP1. A DSL connection as backup to the T1 as IP2 (this in only connected when T1 goes down.
We use 3 mx records to route mail and host our own mail server. If IP1 is down or unavailable, mail goes to IP2. If that is unavailable, it goes to IP3 which is a web hosted mail server. We also run GFI Mail Essentials on a mail gateway and use the POP feature to download from the web hosted mail accounts every 10 minutes.
The problem is our T1 has not gone down or become unavailable to my knowledge, but mail is constantly being routed to the backup web hosted mail accounts.
Event logs for mail and gateway do not show anything out of the ordinary.
But I started going through web logs and found the following:
2004-05-11 18:33:38 155.212.66.171 - [internal ip] 80 SEARCH /±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± - 401 -
I trimmed this to make it easier to read. it actually takes up about a full page. This showed up several times for the last two days on the logs.
The IP 155.212.66.171 is from the block that is owned by our telephone and T1 connection provider.
I also noticed that we are receiving spam from our own IP address [probably spoofed] - from headers:
Received: from xxx.xxx.xxx.xxx ([61.38.152.154]) by bouncer.newmancom.local with Microsoft SMTPSVC(5.0.2195.5329); Wed, 12 May 2004 12:48:54 -0400
xxx.xxx.xxx.xxx is our external IP.
Any thoughts on this? Cause? solutions?
Thanks
We use 3 mx records to route mail and host our own mail server. If IP1 is down or unavailable, mail goes to IP2. If that is unavailable, it goes to IP3 which is a web hosted mail server. We also run GFI Mail Essentials on a mail gateway and use the POP feature to download from the web hosted mail accounts every 10 minutes.
The problem is our T1 has not gone down or become unavailable to my knowledge, but mail is constantly being routed to the backup web hosted mail accounts.
Event logs for mail and gateway do not show anything out of the ordinary.
But I started going through web logs and found the following:
2004-05-11 18:33:38 155.212.66.171 - [internal ip] 80 SEARCH /±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± - 401 -
I trimmed this to make it easier to read. it actually takes up about a full page. This showed up several times for the last two days on the logs.
The IP 155.212.66.171 is from the block that is owned by our telephone and T1 connection provider.
I also noticed that we are receiving spam from our own IP address [probably spoofed] - from headers:
Received: from xxx.xxx.xxx.xxx ([61.38.152.154]) by bouncer.newmancom.local with Microsoft SMTPSVC(5.0.2195.5329); Wed, 12 May 2004 12:48:54 -0400
xxx.xxx.xxx.xxx is our external IP.
Any thoughts on this? Cause? solutions?
Thanks