Solved

exchange hack?

Posted on 2004-04-01
8
180 Views
Last Modified: 2010-04-09
Our exchange server keeps getting in a state where it is sending out hundreds/thousands of unknown emails. I have downloaded all the service packs, all the antivirus is up to date and the server scanned for viruses so i can only assume the attack is from a hacker. We have a PIX firewall and a gateway router, but as we have two sites i have had to turn the mailguard feature off on the pix to allow the remote sites email to function, our exchange server is hosted by ourselves so we have to leave the port 25 to the exchange server open to allow email in from any source, this must be the way the hacker is getting in, is there a way of tightening down the firewall/router to stop this attack?
0
Comment
Question by:hedley2k
8 Comments
 
LVL 32

Accepted Solution

by:
Luc Franken earned 500 total points
ID: 10730487
Hi hedley2k,

Check if your not an open relay:
if you're using Exchange 5.5 => http://support.microsoft.com/?kbid=193922
if you're using Exchange 2000 => http://support.microsoft.com/?kbid=310380

Greetings,

LucF
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10730504
>>we have to leave the port 25 to the exchange server open to allow email in from any source

Are you sure? normal procedure is for your exchange box to point to a Mail relay? who is your service provider? consider creating your TCP port 25 rule for Just the IP of your Mail relay, of course an intelligent hacket can clone this layer two address, but if your provider can accept ESMTP traffic you can password protect the link from your local virtual SMTP server to the mail relay.
0
 
LVL 20

Expert Comment

by:What90
ID: 10731290
Have you checked the none of the workstations have works/viruses on them doing mass mailing?
Update and run an av check on all your machines just to make sure it's not an internal issue first.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:hedley2k
ID: 10732075
The reason i believed it was external was in the current sessions folder on exchange were users with names like evildoer and a public ip address, what i've tried in the exchange virual server relay options is to remove the access to everyone who is authenticated and put our two internal subnets in the aurthorised list. This seems to have work... touch wood.
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10732086
So you where an open relay :(
Good that you catched this...
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 10732883
>>Good that you catched this...

Thats the first time Ive ever seen your english slip Luc :)
Glad your running, Id still look at ESMTP in the future at least then your mail link would be password protected

good luck

Pete
0
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10733471
Hmm...
0
 
LVL 35

Expert Comment

by:Bembi
ID: 10797770
Let me make another comment, as we regarded it in the last days.

We had a customer, which reported a few hundred mails going out and producing NDRs, as the virus scanners where not quick enough to update themselves and the virus was gone through to the mailboxes. Some of the users klicked on them and they started to send E-Mails around the world. As the virus came in the night and the virus scanners were updating early in the morning, the clients were sending the mails, but then blocked by the virus scanner, which sent a lot of NDRs back to the clients and to the admin.

This was simply a timing problem, as the clients need to run to update themselves to recognize the virus on the client machines in time and it solves itselves after virus scanner update.  

This is only an additional possibility, you should take care of, independend on open relay and other misconfiguration issues.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
iptables and udp ports 23 117
sftp access 4 52
PCAnywhere 2 122
Cloud-based web filter/proxy - can it be done? What is the best software to use? 7 67
Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question