I have a 2003 Standard box with 1 network interface with 4 ip addresses all
on that interface. This machine is a public server that I use to host
websites. I had Microsoft help me secure smtp & pop3 using RRAS Basic
Firewall.
I have a filter for each IP address and each port. (eg. 10.0.0.1 corporate
customers - 10.0.0.2 personal customers - 10.0.0.3 my websites)
I have separate SMTP TCP 25 filters for 10.0.0.2 & 10.0.0.3
I found in my event log smtp error messages that looked like spam relaying.
So I telnet to each mail server - telnet mail.domain.com 25
On 10.0.0.2, I put a recipient that was external to my server, the relay was
allowed.
Did the same thing on 10.0.0.3, and the relay was rejected (as it should be).
I reboot the server, same thing. I turn off the filter on 10.0.0.2, restart
RRAS, turn the filter on and restart RRAS. Voila.......Success.
Does any of this make any sense? Any ideas on where to check for intrusion?
I think I have maximum logging enabled for Security and nothing has shown up
there. At this point, I just don't have any faith that I am as protected as
I should be. Did someone hack me and damage that filter?
Any advise would be great.
Cheers,
John
|
Similar Threads
Linear Mode
