Windows 2003 Server IIS SMTP Sending SPAM

we have a Windows 2003 Server using IIS6 for SMTP and Websites. A couple of weeks ago the server started to send out SPAM emails.

I'm trying to figure out how to identify where the SPAM is coming from and of course a way of stopping it but not so sure how to troubleshoot.

Any ideas will be helping me a lot.

Would changing SMTP ports help? I was thinking on block inbound SMTP so it only works from local but of course if the problem is a website sending that won't stop it.

Thanks.

Enabled the Firewall log and this is what I'm getting:

Version: 1.5

Software: Microsoft Windows Firewall

Time Format: Local

Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.37.104 4970 25 - - - - - - - - -

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.54.188.126 4972 25 - - - - - - - - -

2011-07-13 17:03:00 CLOSE TCP 77.68.46.186 65.54.188.94 4958 25 - - - - - - - - -

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.92.184 4975 25 - - - - - - - - -

2011-07-13 17:03:00 DROP TCP 65.55.37.88 77.68.46.186 25 4959 40 AR 1939623047 2961615394 0 - - - RECEIVE

2011-07-13 17:03:00 CLOSE TCP 77.68.46.186 65.55.37.120 4960 25 - - - - - - - - -

2011-07-13 17:03:00 DROP TCP 65.55.37.120 77.68.46.186 25 4960 40 AR 1382203938 774213447 0 - - - RECEIVE

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.92.184 4977 25 - - - - - - - - -

2011-07-13 17:03:00 OPEN TCP 77.68.46.186 65.55.37.88 4978 25 - - - - - - - - -

2011-07-13 17:03:01 OPEN TCP 77.68.46.186 65.55.37.104 4982 25 - - - - - - - - -

2011-07-13 17:03:01 CLOSE TCP 77.68.46.186 65.55.92.152 4966 25 - - - - - - - - -

2011-07-13 17:03:01 DROP TCP 65.55.37.72 77.68.46.186 25 4961 40 AR 3341861931 1204012885 0 - - - RECEIVE

2011-07-13 17:03:01 DROP TCP 65.54.188.94 77.68.46.186 25 4962 40 AR 1697379010 1155997716 0 - - - RECEIVE

2011-07-13 17:03:01 CLOSE TCP 77.68.46.186 65.54.188.72 4964 25 - - - - - - - - -

2011-07-13 17:03:01 DROP TCP 65.54.188.72 77.68.46.186 25 4964 40 AR 2752442853 4065488804 0 - - - RECEIVE

2011-07-13 17:03:01 DROP TCP 65.55.37.72 77.68.46.186 25 4968 40 AR 1360755958 4219846967 0 - - - RECEIVE

2011-07-13 17:03:01 OPEN TCP 77.68.46.186 65.55.92.136 4985 25 - - - - - - - - -

2011-07-13 17:03:01 OPEN TCP 77.68.46.186 65.55.92.152 4986 25 - - - - - - - - -

But cant find the way to find the PID of each of them, added the PID column to the task manager but cant find the PID on the logs


Solution 1:

Is the spam coming from an internal host or an external host?

Have you enabled logging on IIS for SMTP? http://support.microsoft.com/kb/303738

1) Check the log.

2) Make sure that you are not an open relay: http://support.microsoft.com/kb/324281

How were you alerted to the spam that was coming from your server?

Consider) Setup Wireshark (no affiliation) on the server and watch port 25 and catch some spammers in the act!