pk24573
asked on
SBS 2003 Exchange server being ATTACKED by users in current session under smtp connector
Hello Experts!
I've had a hell of a past 24hours trying to figure out what is going on.
My exchange server has been working beautifully for the past 4-5 years.
I THOUGHT everything was locked down nicely until yesterday, when i see the queue with 19,000 emails...
my server is not an open relay.they're getting in someother way.
and what i see is that under the current sessions in the smtp connector, there are (for the first time) users with static ip's. i blocked them in the connection propertires by selecting "all except the below" and i put in the static ip's of the attackers. and that worked for, 30-60 min, and then, there's a new set of ip.. but always its the same ip listed about 10 times.
Im at a loss. ive followed various steps ive found in microsoft KB, but nothing seems to help.
I've had a hell of a past 24hours trying to figure out what is going on.
My exchange server has been working beautifully for the past 4-5 years.
I THOUGHT everything was locked down nicely until yesterday, when i see the queue with 19,000 emails...
my server is not an open relay.they're getting in someother way.
and what i see is that under the current sessions in the smtp connector, there are (for the first time) users with static ip's. i blocked them in the connection propertires by selecting "all except the below" and i put in the static ip's of the attackers. and that worked for, 30-60 min, and then, there's a new set of ip.. but always its the same ip listed about 10 times.
Im at a loss. ive followed various steps ive found in microsoft KB, but nothing seems to help.
When the dust has settled, please have a read of my two blog articles too:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
You can also empty the queues very quickly of the spam by using aqadmcli.exe which can be download from the link in the following page (with usage instructions:
http://community.spiceworks.com/how_to/show/267
Alan
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
You can also empty the queues very quickly of the spam by using aqadmcli.exe which can be download from the link in the following page (with usage instructions:
http://community.spiceworks.com/how_to/show/267
Alan
ASKER
im reading as we speak..
THANKS FOR THE QUICK REPLY...
and it does sound like its an authenticated relay !@#$!@#$
THANKS FOR THE QUICK REPLY...
and it does sound like its an authenticated relay !@#$!@#$
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
questions
1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails)
2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password?
1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails)
2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password?
ASKER
i quickly went for the simple fix, disabling the Basic & Integrated Authentication, however i left the anonymous authentication checked. should i disable that as well, because im still receiving random users under current users?
questions
>> 1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails) <<
Sender filtering is not going to help because the hacker / spammer has a username and password and is therefore a 'trusted' sender and will bypass all Anti-Spam checking you might make.
>> 2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password? <<
My blog about Brute Force Attacks should explain it a bit but basically a computer or computers out in the world have been systematically trying various combinations of username / passwords until they find one that works. Once they find one that works - you start having your server abused.
Once you have resolved the issue - you will need to de-list yourself on the various blacklist sites:
www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org will help identify the regular ones, but you may need to contact the ones that don't drop off after a while. Some are fairly quick to de-list you - others take about 4 weeks - some don't accept de-listing requests - some demand a small amount of money (don't pay unless you are suffering big time).
If you don't have external users sending mail to your server via SMTP then keep the Authentication on your SMTP Virtual Server to Anonymous only - then the problem won't happen again for the same reason.
Long and the short - someone has a weak password and it was guessed. My blog advises what you can do to tighten up security to try and prevent it from happening again.
Alan
>> 1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails) <<
Sender filtering is not going to help because the hacker / spammer has a username and password and is therefore a 'trusted' sender and will bypass all Anti-Spam checking you might make.
>> 2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password? <<
My blog about Brute Force Attacks should explain it a bit but basically a computer or computers out in the world have been systematically trying various combinations of username / passwords until they find one that works. Once they find one that works - you start having your server abused.
Once you have resolved the issue - you will need to de-list yourself on the various blacklist sites:
www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org will help identify the regular ones, but you may need to contact the ones that don't drop off after a while. Some are fairly quick to de-list you - others take about 4 weeks - some don't accept de-listing requests - some demand a small amount of money (don't pay unless you are suffering big time).
If you don't have external users sending mail to your server via SMTP then keep the Authentication on your SMTP Virtual Server to Anonymous only - then the problem won't happen again for the same reason.
Long and the short - someone has a weak password and it was guessed. My blog advises what you can do to tighten up security to try and prevent it from happening again.
Alan
ASKER
1)ive disabled the authentication as you mentioned in the smtp virtual server
2)ive applies the sender filtering
results
the queue has stopped filling up, however, the current user under the smtp virtual server still exist.
because i did have "tight" controls on the server, the spam wasn't being sent out. it was just filling up my queue, and in turn my hdd's.
when you say external users, you mean users of activsync and pop, correct? does it include OWA users as well?
im sending test emails from a domain user using owa and the email isnt being sent...(im assuming this is a result of the authentication settings)?
Thanks,
2)ive applies the sender filtering
results
the queue has stopped filling up, however, the current user under the smtp virtual server still exist.
because i did have "tight" controls on the server, the spam wasn't being sent out. it was just filling up my queue, and in turn my hdd's.
when you say external users, you mean users of activsync and pop, correct? does it include OWA users as well?
im sending test emails from a domain user using owa and the email isnt being sent...(im assuming this is a result of the authentication settings)?
Thanks,
If you restart the SMTP service - the current users under the SMTP service will get disconnected, but once it starts again, only anonymous users can send you mail, which is fine.
By external users I only mean SMTP / POP users. Activesync / OWA uses HTTPS so won't be affected.
What I have suggested should not affect outbound mail at all - only incoming mail.
By external users I only mean SMTP / POP users. Activesync / OWA uses HTTPS so won't be affected.
What I have suggested should not affect outbound mail at all - only incoming mail.
ASKER
Very thorough!
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html