Today I had to sort out a client’s mail server after BT disconnected them from all broadband access. Their server had sent out 108 000 spam e-mails, and the mail queues were full, trying to send more.
They had to contact BT, and ask them to re-connect their broadband service, so that I could remotely login and take a look into the issue.
First thing I did once I got access was disable their SMTP Service. To do this, right-click My Computer, go to “Manage” expand “Services and Applications” Double click on Services, and scroll down to Simple Mail Transport Protocol Service. Right-click it, and select Stop. This will halt all outgoing mail.
From this point, I logged into the router (Which happened to be a Netgear DG834), and checked the firewall logs. I could see tons of SMTP connections from external IP address, first of all I thought let me just secure the firewall – this hadn’t been done on this particular router.
I went to the Firewall settings, and made some rules as follows :
Allow SMTP(25) for single IP address on the internal LAN (192.168.16.2) – this is the IP of the mail server.
Dissallow SMTP(25) for all IP addresses on internal LAN. (The above rule for the server overrides this).
I did a test before enabling these rules by using telnet to test outgoing SMTP connections from a few client PCs on the network first.
From command prompt, type : telnet anymailserver.com 25 (replace anymailserver.com with a mail server address such as mail.google.com). I could make a connection using this before the rule was in place, after the rule was enabled I could not, so this firewall rule was working well to block SMTP traffic from any PCs on the network that we didn’t want to be able to send mail. This by the way, was in case one or more of the PCs had picked up a mass mailing worm that was sending spam directly from the PC. A telnet test from the mail server still worked, as I had explicity allowed SMTP traffic from it’s IP address. So that was the Internal network locked down. You can see if you get a successful telnet on port 25 if the command prompt goes blank, or gives you a mail server welcome message. (See the image below). If you don’t get a connection, the attempt will time out, and say it didn’t manage to connect after a few seconds.
Another thing to do at this point, would be to ensure the Anti virus is up to date on all PCs and the server, and scan them to ensure they are all clean.
Next up was the Exchange configuration – I checked that relay access was restricted only to the Mail server itself.
Open Exchange System Manager by going to Start menu – Programs, Exchange, Exchange System Manager.
Expand Servers, select your mail server name (In this case it is SBS2003), expand protocols, expand SMTP, and right click on the Default SMTP Virtual Server icon, then select Properties. (See image below)
Once the properties sheet is open, click on the “Access” tab, then click on the “Relay” button.
Ensure that only localhost (127.0.0.1) – the server itself, and the Server’s IP address internally are in the list. So in this case 127.0.0.1 and 192.168.16.2 are in the list, with the option “Only the computers below” selected. Then untick the check box below that list (Allow all computers which successfully authenticate to relay, regardless of the list above). This makes sure that only the server can relay mail. Obviously the situation depends on how your network is setup, so as long as you don’t have other mail servers connecting to this exchange server then you should be safe un-ticking this option. See image below :
Click Ok, and then Ok once again. Open My computer, and browse to your exchange server’s queue folder. This is usually in C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue
You would probably have thousands of files in here, so re-name the Queue folder to Queue_old or something like that, and create a new folder called “Queue” in it’s place. This will ensure a clear queue for when we re-enable the SMTP service.
Now go to your Services again, and Start the SMTP service, by right-clicking Simple Mail Transport Protocol, and clicking the Start option.
If all goes well, your queues should stay clear of any bad mail, and your network should be able to send mail again.