Solved

exchange hack?

Posted on 2004-04-01
8
183 Views
Last Modified: 2010-04-09
Our exchange server keeps getting in a state where it is sending out hundreds/thousands of unknown emails. I have downloaded all the service packs, all the antivirus is up to date and the server scanned for viruses so i can only assume the attack is from a hacker. We have a PIX firewall and a gateway router, but as we have two sites i have had to turn the mailguard feature off on the pix to allow the remote sites email to function, our exchange server is hosted by ourselves so we have to leave the port 25 to the exchange server open to allow email in from any source, this must be the way the hacker is getting in, is there a way of tightening down the firewall/router to stop this attack?
0
Comment
Question by:hedley2k
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 32

Accepted Solution

by:
LucF earned 500 total points
ID: 10730487
Hi hedley2k,

Check if your not an open relay:
if you're using Exchange 5.5 => http://support.microsoft.com/?kbid=193922
if you're using Exchange 2000 => http://support.microsoft.com/?kbid=310380

Greetings,

LucF
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10730504
>>we have to leave the port 25 to the exchange server open to allow email in from any source

Are you sure? normal procedure is for your exchange box to point to a Mail relay? who is your service provider? consider creating your TCP port 25 rule for Just the IP of your Mail relay, of course an intelligent hacket can clone this layer two address, but if your provider can accept ESMTP traffic you can password protect the link from your local virtual SMTP server to the mail relay.
0
 
LVL 20

Expert Comment

by:What90
ID: 10731290
Have you checked the none of the workstations have works/viruses on them doing mass mailing?
Update and run an av check on all your machines just to make sure it's not an internal issue first.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:hedley2k
ID: 10732075
The reason i believed it was external was in the current sessions folder on exchange were users with names like evildoer and a public ip address, what i've tried in the exchange virual server relay options is to remove the access to everyone who is authenticated and put our two internal subnets in the aurthorised list. This seems to have work... touch wood.
0
 
LVL 32

Expert Comment

by:LucF
ID: 10732086
So you where an open relay :(
Good that you catched this...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10732883
>>Good that you catched this...

Thats the first time Ive ever seen your english slip Luc :)
Glad your running, Id still look at ESMTP in the future at least then your mail link would be password protected

good luck

Pete
0
 
LVL 32

Expert Comment

by:LucF
ID: 10733471
Hmm...
0
 
LVL 35

Expert Comment

by:Bembi
ID: 10797770
Let me make another comment, as we regarded it in the last days.

We had a customer, which reported a few hundred mails going out and producing NDRs, as the virus scanners where not quick enough to update themselves and the virus was gone through to the mailboxes. Some of the users klicked on them and they started to send E-Mails around the world. As the virus came in the night and the virus scanners were updating early in the morning, the clients were sending the mails, but then blocked by the virus scanner, which sent a lot of NDRs back to the clients and to the admin.

This was simply a timing problem, as the clients need to run to update themselves to recognize the virus on the client machines in time and it solves itselves after virus scanner update.  

This is only an additional possibility, you should take care of, independend on open relay and other misconfiguration issues.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question