Translate log file for suspected security issues

Hi, we have been receving lots of spam lately appearing from someone outside sending emails that appear to be coming from bogous email from inside the domain.

Here is a snippet from the log file.

2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:08 69.15.227.198 MAIL +FROM:<administrator@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:08 69.15.227.198 MAIL +FROM:<administrator@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:09 69.15.227.198 MAIL +FROM:<administrator@mydomain.com>
2005-07-05 15:04:09 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:09 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:08 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:08 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:09 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:09 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:09 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:09 69.15.227.198 QUIT mydomain.com
2005-07-05 15:14:03 207.210.66.99 EHLO +mail1.smokingsuniversalitys.com
2005-07-05 15:14:03 207.210.66.99 MAIL +FROM:<bounce-alq1wz5fa5sv1cmshuvtqd1b@amnesiacsmutter.com>
2005-07-05 15:14:03 207.210.66.99 RCPT +TO:<katief@mydomain.com>
2005-07-05 15:14:03 207.210.66.99 BDAT +<GXNKTXRZGWS22RG7DC3F.@mail1.smokingsuniversalitys.com>
2005-07-05 15:14:03 207.210.66.99 QUIT mail1.smokingsuniversalitys.com
2005-07-05 15:16:31 209.50.234.167 HELO +boj.livebydesigns.com
2005-07-05 15:16:40 209.50.234.167 MAIL +FROM:<29-23138029-mydomain.com?ritae@stderr.livebydesigns.com>
2005-07-05 15:16:55 209.50.234.167 RCPT +TO:<ritae@mydomain.com>
2005-07-05 15:17:41 192.107.41.53 - 220-iglou.com+ESMTP+Tue,+05+Jul+2005+11:17:41+-0400

Of course the only account that is valid is the ritae@mydomain.com and katief@mydomain.com

Everything else is bogues.  Any suggestions as what to do is appreciated.

Thanks


LVL 16
Kevin HaysIT AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phil_AgcaoiliCommented:
What are your valid IPs based on this log?

*Reminder, that this is a public board...your info is now on the Net.
Kevin HaysIT AnalystAuthor Commented:
No information above is valid for my info.  I have a private IP range which doesn't show up on there.  That's just a section that I cut out from the log file that looked weird.

Kevin
Phil_AgcaoiliCommented:
So which IPs above were the replaced IPs that are yours?
Which IPs are possibly hostile?

You mentioned that ritae@mydomain.com and katief@mydomain.com are good e-mail accounts.

Also, what email server package are you running with version?

The answers vary based on the mail server and version.

Generically:
- set filters to only allow internal IPs to contact your mail server.
- set your mail server to perform domain name lookups on connecting mail servers (this stops fraudulent domains from sending from a hijacked Wifi network
- configure your spam software to point to RBL's from places like Spamhaus

If you run Exchange, here's one of the definitive Exchange security guides available:
exchange/guides/E2k3SecHardGuide/ac385903-2bb3-40c1-9239-2f575620ad74.mspx">http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3SecHardGuide/ac385903-2bb3-40c1-9239-2f575620ad74.mspx

It sounds like you also need to use an SMTP connector:
http://www.amset.info/exchange/smtp-connector.asp


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

Kevin HaysIT AnalystAuthor Commented:
Thanks Phil,

None of the IP's were replaced that were mine.  The only thing that was replaced was mydomain.com.
Ritae and katief are actualy valid email account names, but they are just aliases though.

Running Windows 2003 Enterprise with Exchange Server 2003 Enterprise.

I also have GFI ME and GFI Security on the Exchange on SMTP mode as well.

I did go to the system manager/protocols/smtp/virtual smtp server and under authentication unchecked anonymous and used integrated windows authentication, but boy that sure didn't go well, I didn't realize that nobody outside our domain would be able to send us email.

When you say (set your mail server to perform domain name lookups on connecting mail servers (this stops fraudulent domains from sending from a hijacked Wifi network) do you mean check the box under the smtp/virtual smtp server/authentication/resolve dns names I believe right under the anonymous access?

I'll take a look at those links you gave me.

When you say an smtp connector, is this created by default in the excahange 2003 system manager?

Thanks,

Kevin
Kevin HaysIT AnalystAuthor Commented:
OH, I was able to actually login to the server using telnet IP 25 and do the helo and mail from: anyuser@mydomain.com and send it as a spoof.  I tried outside our network but I was unable to even connect to the server which i'm glad :)

Kevin
Dmitri FarafontovLinux Systems AdminCommented:
Your Exchange is misconfigured. You will need close relaying or enable STMP authentificatin :)
Phil_AgcaoiliCommented:
Check out the MS link I sent and search "Protecting Against Address Spoofing."

It will walk you through the right settings to prevent Exchange 2003 from resolving anonymous e-mail messages.

Additionally, the Win2k3 Exchange guide will walk you through the best practices for hardening your mail server.

Good luck!
Kevin HaysIT AnalystAuthor Commented:
Thanks guys, i've split the points.  I've got enough information I believe so far.  Actually the exchange server is in a DMZ and besides creating the SMTP connector all the other practices were already in place.  I'm assuming exchange being in a DMZ has a lot to do with this though.

Kevin
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.