Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

should I be concerned?

Status
Not open for further replies.

estafford

Programmer
Sep 5, 2002
22
US
The last couple of days, I notice that our email is being routed to a backup system. We have a primary T1 connection with IP1. A DSL connection as backup to the T1 as IP2 (this in only connected when T1 goes down.

We use 3 mx records to route mail and host our own mail server. If IP1 is down or unavailable, mail goes to IP2. If that is unavailable, it goes to IP3 which is a web hosted mail server. We also run GFI Mail Essentials on a mail gateway and use the POP feature to download from the web hosted mail accounts every 10 minutes.

The problem is our T1 has not gone down or become unavailable to my knowledge, but mail is constantly being routed to the backup web hosted mail accounts.

Event logs for mail and gateway do not show anything out of the ordinary.
But I started going through web logs and found the following:
2004-05-11 18:33:38 155.212.66.171 - [internal ip] 80 SEARCH /±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±±± - 401 -

I trimmed this to make it easier to read. it actually takes up about a full page. This showed up several times for the last two days on the logs.

The IP 155.212.66.171 is from the block that is owned by our telephone and T1 connection provider.

I also noticed that we are receiving spam from our own IP address [probably spoofed] - from headers:
Received: from xxx.xxx.xxx.xxx ([61.38.152.154]) by bouncer.newmancom.local with Microsoft SMTPSVC(5.0.2195.5329); Wed, 12 May 2004 12:48:54 -0400

xxx.xxx.xxx.xxx is our external IP.

Any thoughts on this? Cause? solutions?

Thanks
 
First, the SEARCH line you included looks suspiciously like a worm or virus test. Nothing to worry too much about since your server gave a 401, except if the "calling" computer is an internal one.
Second, mail routing through secondary MXs is a well-used spammer trick. When you say "mail is constantly routed", does this mean _all_ mail (spam and ham) ? If it's only spam, that should be no big deal, it happens all the time. If it's also ham, it could mean someone has played with your DNS and MX settings, putting the webmail as primary (I hope not : it would be very, very bad !).
Last, if your webmail is vulnerable (through SMTP or web cgi), it could very well be used as a mail relay.

Hth
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top