exchange hack?

Our exchange server keeps getting in a state where it is sending out hundreds/thousands of unknown emails. I have downloaded all the service packs, all the antivirus is up to date and the server scanned for viruses so i can only assume the attack is from a hacker. We have a PIX firewall and a gateway router, but as we have two sites i have had to turn the mailguard feature off on the pix to allow the remote sites email to function, our exchange server is hosted by ourselves so we have to leave the port 25 to the exchange server open to allow email in from any source, this must be the way the hacker is getting in, is there a way of tightening down the firewall/router to stop this attack?
hedley2kAsked:
Who is Participating?
 
LucFConnect With a Mentor EMEA Server EngineerCommented:
Hi hedley2k,

Check if your not an open relay:
if you're using Exchange 5.5 => http://support.microsoft.com/?kbid=193922
if you're using Exchange 2000 => http://support.microsoft.com/?kbid=310380

Greetings,

LucF
0
 
Pete LongTechnical ConsultantCommented:
>>we have to leave the port 25 to the exchange server open to allow email in from any source

Are you sure? normal procedure is for your exchange box to point to a Mail relay? who is your service provider? consider creating your TCP port 25 rule for Just the IP of your Mail relay, of course an intelligent hacket can clone this layer two address, but if your provider can accept ESMTP traffic you can password protect the link from your local virtual SMTP server to the mail relay.
0
 
What90Commented:
Have you checked the none of the workstations have works/viruses on them doing mass mailing?
Update and run an av check on all your machines just to make sure it's not an internal issue first.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
hedley2kAuthor Commented:
The reason i believed it was external was in the current sessions folder on exchange were users with names like evildoer and a public ip address, what i've tried in the exchange virual server relay options is to remove the access to everyone who is authenticated and put our two internal subnets in the aurthorised list. This seems to have work... touch wood.
0
 
LucFEMEA Server EngineerCommented:
So you where an open relay :(
Good that you catched this...
0
 
Pete LongTechnical ConsultantCommented:
>>Good that you catched this...

Thats the first time Ive ever seen your english slip Luc :)
Glad your running, Id still look at ESMTP in the future at least then your mail link would be password protected

good luck

Pete
0
 
LucFEMEA Server EngineerCommented:
Hmm...
0
 
BembiCEOCommented:
Let me make another comment, as we regarded it in the last days.

We had a customer, which reported a few hundred mails going out and producing NDRs, as the virus scanners where not quick enough to update themselves and the virus was gone through to the mailboxes. Some of the users klicked on them and they started to send E-Mails around the world. As the virus came in the night and the virus scanners were updating early in the morning, the clients were sending the mails, but then blocked by the virus scanner, which sent a lot of NDRs back to the clients and to the admin.

This was simply a timing problem, as the clients need to run to update themselves to recognize the virus on the client machines in time and it solves itselves after virus scanner update.  

This is only an additional possibility, you should take care of, independend on open relay and other misconfiguration issues.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.