Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » LOTS OF "Relay attempt from IP address 127.0.0.1" (There may be some virus on my server, how can i find it?)
  •  
nixius

Messages: 8
Karma: 0
Send a private message to this user
There are lots of security logs like this:
[23/Apr/2013 14:27:29] Relay attempt from IP address 127.0.0.1, mail from <xxx@yyy.com> to <aAnnettEisenbarthko7129<_at_>hotmail.com> rejected
[23/Apr/2013 14:38:12] Relay attempt from IP address 127.0.0.1, mail from <xxx@yyy.com> to <2b8cfec5<_at_>gmail.com> rejected
[23/Apr/2013 14:39:33] Relay attempt from IP address 127.0.0.1, mail from <xxx@yyy.com> to <brandee326potts368<_at_>maileenation.com> rejected
[23/Apr/2013 14:47:12] Relay attempt from IP address 127.0.0.1, mail from <xxx@yyy.com> to <vAnnettEisenbarthko7129<_at_>hotmail.com> rejected


And this is the debug info. The port 31285 changes every time:
[23/Apr/2013 16:23:21][18860] {smtps} Task 3952 handler starting
[23/Apr/2013 16:23:21][18860] {smtps} SMTP server session begin; client connected from 127.0.0.1:31825
[23/Apr/2013 16:23:21][18860] {smtps} Sent SMTP greeting to 127.0.0.1:31825
[23/Apr/2013 16:23:21][18860] {smtps} Command HELO NLP-Server
[23/Apr/2013 16:23:21][18860] {smtps} Sent reply to HELO: 250 yyy.com
[23/Apr/2013 16:23:21][18860] {smtps} Command MAIL FROM:<xxx<_at_>yyy.com>
[23/Apr/2013 16:23:21][18860] {smtps} Sent reply to MAIL: 250 2.1.0 Sender <xxx<_at_>yyy.com> ok
[23/Apr/2013 16:23:21][18860] {smtps} Command RCPT TO:<sheri426todd290<_at_>emailbeetle.com>
[23/Apr/2013 16:23:21][18860] {smtps} Sent reply to RCPT: 550 5.7.1 Relaying to <sheri426todd290<_at_>emailbeetle.com> denied
[23/Apr/2013 16:23:21][18860] {smtps} Command QUIT
[23/Apr/2013 16:23:21][18860] {smtps} SMTP server session end
[23/Apr/2013 16:23:21][18860] {smtps} Task 3952 handler END


I have tried using CurrPorts to find which process is sending spams by the port. But the PID turns to be 0 which means that I can't get the process!

HELP ME!!!

[Updated on: Tue, 23 April 2013 10:54]

  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
What anti-virus & anti-malware software have you run on the server?

Good is better than evil because it's nicer
--Mammy Yokum
  •  
nixius

Messages: 8
Karma: 0
Send a private message to this user
Windows Server 2008 Service Pack 2
Kerio Connect 7.0.0 build 1191 (internal Mcfee is enabled and updated)
ESET Endpoint Antivirus 5.0.2126.3

-----
I'm going mad about what is going on now.
  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
After checking the mail queue (and removing messages as appropriate) I think I'd start with MalwareBytes Anti-Malware. This would be best done when the mail server is stopped. It may trip on things in the mail store, so be extra cautious cleaning anything up there. Mostly you're looking for run of the mill spamming malware, which will likely be on the boot drive.

Good is better than evil because it's nicer
--Mammy Yokum
  •  
nixius

Messages: 8
Karma: 0
Send a private message to this user
Is there anyway I can track the spamming process?
As I'm running ESET on my server, I'd rather not running another anti-virus software. Sad
  •  
Vicky

Messages: 656

Karma: 81
Send a private message to this user
Hi Nixius,

You can track the spam process via the debug log. If you go to the debug log, right click in the right hand window, select 'Messages' and enable 'SpamAssassin Processing'. This will give you logging for the spam process in Kerio, just be sure to only enable this for a short amount of time as it will increase the size of your debug log.

I hope that helps.

All the best,
Vicky
  •  
nixius

Messages: 8
Karma: 0
Send a private message to this user
I don't think it's about spam.
Some process is trying sending mails from LOCAL! And I want to find it. Sad
  •  
nixius

Messages: 8
Karma: 0
Send a private message to this user
And in the following mailing list, where is the sender?
[img]http://i42.tinypic.com/2me9lh.png[/img]
Previous Topic: dynamic ip delivery direct
Next Topic: Error message in Admin Console "erage_DAVRequest.cpp: The following error occured while reading XML
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 20:32:09 CEST 2017

Total time taken to generate the page: 0.00447 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.