Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

exchange hack?

Posted on 2004-04-01
8
Medium Priority
?
186 Views
Last Modified: 2010-04-09
Our exchange server keeps getting in a state where it is sending out hundreds/thousands of unknown emails. I have downloaded all the service packs, all the antivirus is up to date and the server scanned for viruses so i can only assume the attack is from a hacker. We have a PIX firewall and a gateway router, but as we have two sites i have had to turn the mailguard feature off on the pix to allow the remote sites email to function, our exchange server is hosted by ourselves so we have to leave the port 25 to the exchange server open to allow email in from any source, this must be the way the hacker is getting in, is there a way of tightening down the firewall/router to stop this attack?
0
Comment
Question by:hedley2k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 32

Accepted Solution

by:
LucF earned 1500 total points
ID: 10730487
Hi hedley2k,

Check if your not an open relay:
if you're using Exchange 5.5 => http://support.microsoft.com/?kbid=193922
if you're using Exchange 2000 => http://support.microsoft.com/?kbid=310380

Greetings,

LucF
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10730504
>>we have to leave the port 25 to the exchange server open to allow email in from any source

Are you sure? normal procedure is for your exchange box to point to a Mail relay? who is your service provider? consider creating your TCP port 25 rule for Just the IP of your Mail relay, of course an intelligent hacket can clone this layer two address, but if your provider can accept ESMTP traffic you can password protect the link from your local virtual SMTP server to the mail relay.
0
 
LVL 20

Expert Comment

by:What90
ID: 10731290
Have you checked the none of the workstations have works/viruses on them doing mass mailing?
Update and run an av check on all your machines just to make sure it's not an internal issue first.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:hedley2k
ID: 10732075
The reason i believed it was external was in the current sessions folder on exchange were users with names like evildoer and a public ip address, what i've tried in the exchange virual server relay options is to remove the access to everyone who is authenticated and put our two internal subnets in the aurthorised list. This seems to have work... touch wood.
0
 
LVL 32

Expert Comment

by:LucF
ID: 10732086
So you where an open relay :(
Good that you catched this...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10732883
>>Good that you catched this...

Thats the first time Ive ever seen your english slip Luc :)
Glad your running, Id still look at ESMTP in the future at least then your mail link would be password protected

good luck

Pete
0
 
LVL 32

Expert Comment

by:LucF
ID: 10733471
Hmm...
0
 
LVL 35

Expert Comment

by:Bembi
ID: 10797770
Let me make another comment, as we regarded it in the last days.

We had a customer, which reported a few hundred mails going out and producing NDRs, as the virus scanners where not quick enough to update themselves and the virus was gone through to the mailboxes. Some of the users klicked on them and they started to send E-Mails around the world. As the virus came in the night and the virus scanners were updating early in the morning, the clients were sending the mails, but then blocked by the virus scanner, which sent a lot of NDRs back to the clients and to the admin.

This was simply a timing problem, as the clients need to run to update themselves to recognize the virus on the client machines in time and it solves itselves after virus scanner update.  

This is only an additional possibility, you should take care of, independend on open relay and other misconfiguration issues.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question