Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Server hijack?
  •  
jediman

Messages: 3
Karma: 0
Send a private message to this user
Hi all! I have Kerio Mail Server 6 running on Linux Mandrake 10.1..everything I THOUGHT was secure, up until somehow my server decided to take open relay and put it to ON. Realizing that was the case, i did my admin thing, and went to secure the network, close open relay, and then blocked the ip address of the offender. Of course I thought, well hell I turned on as much authentication protocol as I could and only allowed it so that myself as an admin and my user account could send through my server...however thats not the case apparently. Now, and usually this happens like <_at_> 5:30am or so, I get a bunch of rejected emails in my spam folder stating that there is a virus that was blocked from an email and undeliverable to such and such a place. Usually hotmail. Now, I blocked the ip address, and now I am not sure what else to do. You cant send via my server without my password, and for kicks I changed it to something much more cryptic, but if anyone has any good tips for this, please let me know. I'd seriously like to block this jerkwad from even attempting to steal my bandwidth here...grr!
  •  
jediman

Messages: 3
Karma: 0
Send a private message to this user
For instance:

Quote:


From: mymailplace<_at_>here.com To: mailhost<_at_>msn.com
Subject: Re:

ok ok ok,,,,, here is it



*** AntiVirus: No Virus found
*** "MSN" Anti-Virus
*** http://www.msn.com



------------------------------------------------------------ --------------------

This part of mail contained a virus:

MIME type: application/octet-stream
File name: our_secret.zip
File size: 71.80 kB
Virus name: W32/Sober.p<_at_>MM!zip
Antivirus: McAfee Scanning Engine (4485/4.4.00)


The attachment was removed by Kerio MailServer 6.0.9 at localhost.


[Updated on: Fri, 06 May 2005 15:10]

  •  
pwhodges

Messages: 144
Karma: 0
Send a private message to this user
Those aren't going through your server; the rejection messages are backscatter from messages mailed from elsewhere by a virus that has spoofed the sender address to look like you - which is where the dumb AV software then sends its rejection message. That virus (Sober.p - but last letter varies with AV company) is the flavour of this week.

Sending the rejection message is an admin option in most AV packages; but since the viruses that spoof addresses are known, the software ought to be able to block sending messages in those cases - I don't know any that are that intelligent, though.

Paul

[Updated on: Fri, 06 May 2005 16:09]

  •  
jediman

Messages: 3
Karma: 0
Send a private message to this user
Understandable. One other question though, when open relay WAS on, someone WAS sending through me. That has since stopped. I am just wondering if what I get now IS total backwash from before. I wonder how they got my email addy..grr!!
  •  
keneisman

Messages: 15
Karma: 0
Send a private message to this user
It sounds as though someone is spoofing your email address. They're not really sending through your server. They are just sending email from whereever but using your email address as the FROM or REPLY TO address. It's a VERY common practice. No mail server should be configured to automatically bounce viruses. The bounce will never get to the machine that actually sent it.

Bottom line... your system is probably not compromised.

HTH
Ken
  •  
Tr!une

Messages: 90
Karma: 0
Send a private message to this user
I have been getting lots more of this bogus mail bouncing back to the postmaster and admin accounts. It is a bit freaky, but all indications (i.e. sender's IP, computer name...) are that it is just typical post-virus spam.
Previous Topic: Help..2003 Serv SP1+KMS 6.0.9+KOC+OL=cannon send msgs
Next Topic: Bad Message UID Errors
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 09:36:55 CET 2017

Total time taken to generate the page: 0.00498 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.