Solved

exchange hack?

Posted on 2004-04-01
8
182 Views
Last Modified: 2010-04-09
Our exchange server keeps getting in a state where it is sending out hundreds/thousands of unknown emails. I have downloaded all the service packs, all the antivirus is up to date and the server scanned for viruses so i can only assume the attack is from a hacker. We have a PIX firewall and a gateway router, but as we have two sites i have had to turn the mailguard feature off on the pix to allow the remote sites email to function, our exchange server is hosted by ourselves so we have to leave the port 25 to the exchange server open to allow email in from any source, this must be the way the hacker is getting in, is there a way of tightening down the firewall/router to stop this attack?
0
Comment
Question by:hedley2k
8 Comments
 
LVL 32

Accepted Solution

by:
LucF earned 500 total points
ID: 10730487
Hi hedley2k,

Check if your not an open relay:
if you're using Exchange 5.5 => http://support.microsoft.com/?kbid=193922
if you're using Exchange 2000 => http://support.microsoft.com/?kbid=310380

Greetings,

LucF
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10730504
>>we have to leave the port 25 to the exchange server open to allow email in from any source

Are you sure? normal procedure is for your exchange box to point to a Mail relay? who is your service provider? consider creating your TCP port 25 rule for Just the IP of your Mail relay, of course an intelligent hacket can clone this layer two address, but if your provider can accept ESMTP traffic you can password protect the link from your local virtual SMTP server to the mail relay.
0
 
LVL 20

Expert Comment

by:What90
ID: 10731290
Have you checked the none of the workstations have works/viruses on them doing mass mailing?
Update and run an av check on all your machines just to make sure it's not an internal issue first.
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:hedley2k
ID: 10732075
The reason i believed it was external was in the current sessions folder on exchange were users with names like evildoer and a public ip address, what i've tried in the exchange virual server relay options is to remove the access to everyone who is authenticated and put our two internal subnets in the aurthorised list. This seems to have work... touch wood.
0
 
LVL 32

Expert Comment

by:LucF
ID: 10732086
So you where an open relay :(
Good that you catched this...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10732883
>>Good that you catched this...

Thats the first time Ive ever seen your english slip Luc :)
Glad your running, Id still look at ESMTP in the future at least then your mail link would be password protected

good luck

Pete
0
 
LVL 32

Expert Comment

by:LucF
ID: 10733471
Hmm...
0
 
LVL 35

Expert Comment

by:Bembi
ID: 10797770
Let me make another comment, as we regarded it in the last days.

We had a customer, which reported a few hundred mails going out and producing NDRs, as the virus scanners where not quick enough to update themselves and the virus was gone through to the mailboxes. Some of the users klicked on them and they started to send E-Mails around the world. As the virus came in the night and the virus scanners were updating early in the morning, the clients were sending the mails, but then blocked by the virus scanner, which sent a lot of NDRs back to the clients and to the admin.

This was simply a timing problem, as the clients need to run to update themselves to recognize the virus on the client machines in time and it solves itselves after virus scanner update.  

This is only an additional possibility, you should take care of, independend on open relay and other misconfiguration issues.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Sonicwall Email los and Alerts 1 67
Network Activities  please help 16 83
McAfee LiveSafe firewall is blocking a safe website 3 119
Checkpoint interface differences 1 24
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question