SMTP Server used for Spam?

[Karl]

Hello!

I have a question. I maintain an SMTP server, and I'm trying to find out a bit of information about what our server's being used for.

I've noticed in this log that FROM email addresses our company has never heard of ([email protected], [email protected], and so on) have been emailing people; some addresses seem to exist, some don't. None of them (as far as I can tell) are solicited.

Is there any way that I can tell how these messages are being sent? Is it possible that it's done via a contact form that the web server hosts?

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2007-01-23 00:41:01
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer) 
2007-01-23 00:41:01 218.170.53.101 acer-edcff3c732 SMTPSVC1 S78540 192.168.1.51 0 EHLO - +acer-edcff3c732 250 0 199 20 0 SMTP - - - -
2007-01-23 00:41:04 218.170.53.101 acer-edcff3c732 SMTPSVC1 S78540 192.168.1.51 0 MAIL - +FROM:<[email protected]> 250 0 48 35 16 SMTP - - - -
2007-01-23 00:41:04 218.170.53.101 acer-edcff3c732 SMTPSVC1 S78540 192.168.1.51 0 RCPT - +TO:<[email protected]> 550 0 55 33 0 SMTP - - - -
2007-01-23 00:41:06 218.170.53.101 acer-edcff3c732 SMTPSVC1 S78540 192.168.1.51 0 QUIT - acer-edcff3c732 240 6328 69 4 0 SMTP - - - -
2007-01-23 05:54:02 203.49.155.153 mail.peterlik.com.au SMTPSVC1 S78540 192.168.1.51 0 EHLO - +mail.peterlik.com.au 250 0 199 25 0 SMTP - - - -
2007-01-23 05:54:03 203.49.155.153 mail.peterlik.com.au SMTPSVC1 S78540 192.168.1.51 0 MAIL - +FROM:<[email protected]> 250 0 44 31 0 SMTP - - - -
2007-01-23 05:54:04 203.49.155.153 mail.peterlik.com.au SMTPSVC1 S78540 192.168.1.51 0 RCPT - +TO:<[email protected]> 550 0 63 41 0 SMTP - - - -
2007-01-23 05:54:07 203.49.155.153 mail.peterlik.com.au SMTPSVC1 S78540 192.168.1.51 0 QUIT - mail.peterlik.com.au 240 6359 69 4 0 SMTP - - - -
2007-01-23 05:57:32 84.95.125.97 84.95.125.97.cable.012.net.il SMTPSVC1 S78540 192.168.1.51 0 EHLO - +84.95.125.97.cable.012.net.il 250 0 197 34 0 SMTP - - - -
2007-01-23 05:57:32 84.95.125.97 84.95.125.97.cable.012.net.il SMTPSVC1 S78540 192.168.1.51 0 MAIL - +FROM:<[email protected]> 250 0 58 45 0 SMTP - - - -
2007-01-23 05:57:32 84.95.125.97 84.95.125.97.cable.012.net.il SMTPSVC1 S78540 192.168.1.51 0 RCPT - +TO:<[email protected]> 550 0 60 38 0 SMTP - - - -
2007-01-23 05:57:32 84.95.125.97 84.95.125.97.cable.012.net.il SMTPSVC1 S78540 192.168.1.51 0 QUIT - 84.95.125.97.cable.012.net.il 240 438 69 4 0 SMTP - - - -
2007-01-23 06:33:48 222.92.1.98 mail.reifenhauser.com.cn SMTPSVC1 S78540 192.168.1.51 0 EHLO - +mail.reifenhauser.com.cn 250 0 196 29 0 SMTP - - - -
2007-01-23 06:33:48 222.92.1.98 mail.reifenhauser.com.cn SMTPSVC1 S78540 192.168.1.51 0 MAIL - +FROM:<[email protected]> 250 0 44 31 0 SMTP - - - -
2007-01-23 06:33:48 222.92.1.98 mail.reifenhauser.com.cn SMTPSVC1 S78540 192.168.1.51 0 RCPT - +To:<[email protected]> 550 0 59 37 0 SMTP - - - -
2007-01-23 06:33:49 222.92.1.98 mail.reifenhauser.com.cn SMTPSVC1 S78540 192.168.1.51 0 QUIT - mail.reifenhauser.com.cn 240 1797 69 4 0 SMTP - - - -
2007-01-23 07:35:46 213.56.248.150 - SMTPSVC1 S78540 192.168.1.51 0 EHLO - +|http://esunhuitionkdefunhsadwa.com:8888/cgi-bin/put.cgi 501 0 27 61 0 SMTP - - - -
2007-01-23 07:35:46 213.56.248.150 - SMTPSVC1 S78540 192.168.1.51 0 HELO - +|http://esunhuitionkdefunhsadwa.com:8888/cgi-bin/put.cgi 501 0 27 61 0 SMTP - - - -
2007-01-23 07:35:46 213.56.248.150 amb_pc12 SMTPSVC1 S78540 192.168.1.51 0 EHLO - +amb_pc12 250 0 199 13 0 SMTP - - - -
2007-01-23 07:35:46 213.56.248.150 amb_pc12 SMTPSVC1 S78540 192.168.1.51 0 MAIL - +FROM:<[email protected]> 250 0 48 35 0 SMTP - - - -
2007-01-23 07:35:46 213.56.248.150 amb_pc12 SMTPSVC1 S78540 192.168.1.51 0 RCPT - +TO:<[email protected]> 550 0 63 41 0 SMTP - - - -
2007-01-23 07:35:47 213.56.248.150 amb_pc12 SMTPSVC1 S78540 192.168.1.51 0 QUIT - amb_pc12 240 1719 69 4 0 SMTP - - - -
2007-01-23 07:54:21 88.154.52.206 bzq-88-154-52-206.red.bezeqint.net SMTPSVC1 S78540 192.168.1.51 0 EHLO - +bzq-88-154-52-206.red.bezeqint.net 250 0 198 39 0 SMTP - - - -
2007-01-23 07:54:21 88.154.52.206 bzq-88-154-52-206.red.bezeqint.net SMTPSVC1 S78540 192.168.1.51 0 MAIL - +FROM:<[email protected]> 250 0 53 40 0 SMTP - - - -
2007-01-23 07:54:21 88.154.52.206 bzq-88-154-52-206.red.bezeqint.net SMTPSVC1 S78540 192.168.1.51 0 RCPT - +TO:<[email protected]> 550 0 60 38 0 SMTP - - - -
2007-01-23 07:54:21 88.154.52.206 bzq-88-154-52-206.red.bezeqint.net SMTPSVC1 S78540 192.168.1.51 0 QUIT - bzq-88-154-52-206.red.bezeqint.net 240 438 69 4 0 SMTP - - - -
2007-01-23 08:39:09 59.117.67.92 www.MyMainServer.com SMTPSVC1 S78540 192.168.1.51 0 HELO - +www.MyMainServer.com 250 0 47 25 0 SMTP - - - -
2007-01-23 08:39:09 59.117.67.92 www.MyMainServer.com SMTPSVC1 S78540 192.168.1.51 0 MAIL - +from:<[email protected]> 250 0 54 41 0 SMTP - - - -
2007-01-23 08:39:09 59.117.67.92 www.MyMainServer.com SMTPSVC1 S78540 192.168.1.51 0 RCPT - +to:<[email protected]> 550 0 55 33 0 SMTP - - - -
2007-01-23 08:39:10 59.117.67.92 www.MyMainServer.com SMTPSVC1 S78540 192.168.1.51 0 QUIT - www.MyMainServer.com 240 1344 55 33 328 SMTP - - - -

Any help is appreciated,

Cheers,

Karl.

 

[Baz]

Looks like your server is relaying emails which is bad!

What email server is it, Exchange 2000?

 

[Karl]

It's a standard windows 2000 box using IIS 6.0

Any thoughts of what I can do to prevent this?

 

[Baz]

If you have no Email server or SMTP service running on the servers or within the network, then block port 25 on the firewall. That will stop it dead.

 

[Karl]

I do use CDONTS with ASP code on the server that sends out emails. That'd probably be affected, wouldn't it?