Kevin Hays
asked on
Translate log file for suspected security issues
Hi, we have been receving lots of spam lately appearing from someone outside sending emails that appear to be coming from bogous email from inside the domain.
Here is a snippet from the log file.
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:08 69.15.227.198 MAIL +FROM:<administrator@mydom ain.com>
2005-07-05 15:04:08 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:08 69.15.227.198 MAIL +FROM:<administrator@mydom ain.com>
2005-07-05 15:04:08 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:09 69.15.227.198 MAIL +FROM:<administrator@mydom ain.com>
2005-07-05 15:04:09 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:09 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:08 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:08 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:09 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:09 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:09 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:09 69.15.227.198 QUIT mydomain.com
2005-07-05 15:14:03 207.210.66.99 EHLO +mail1.smokingsuniversalit ys.com
2005-07-05 15:14:03 207.210.66.99 MAIL +FROM:<bounce-alq1wz5fa5sv 1cmshuvtqd 1b@amnesia csmutter.c om>
2005-07-05 15:14:03 207.210.66.99 RCPT +TO:<katief@mydomain.com>
2005-07-05 15:14:03 207.210.66.99 BDAT +<GXNKTXRZGWS22RG7DC3F.@ma il1.smokin gsuniversa litys.com>
2005-07-05 15:14:03 207.210.66.99 QUIT mail1.smokingsuniversality s.com
2005-07-05 15:16:31 209.50.234.167 HELO +boj.livebydesigns.com
2005-07-05 15:16:40 209.50.234.167 MAIL +FROM:<29-23138029-mydomai n.com?rita e@stderr.l ivebydesig ns.com>
2005-07-05 15:16:55 209.50.234.167 RCPT +TO:<ritae@mydomain.com>
2005-07-05 15:17:41 192.107.41.53 - 220-iglou.com+ESMTP+Tue,+0 5+Jul+2005 +11:17:41+ -0400
Of course the only account that is valid is the ritae@mydomain.com and katief@mydomain.com
Everything else is bogues. Any suggestions as what to do is appreciated.
Thanks
Here is a snippet from the log file.
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:08 69.15.227.198 MAIL +FROM:<administrator@mydom
2005-07-05 15:04:08 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:08 69.15.227.198 MAIL +FROM:<administrator@mydom
2005-07-05 15:04:08 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:04:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:04:09 69.15.227.198 MAIL +FROM:<administrator@mydom
2005-07-05 15:04:09 69.15.227.198 RCPT +TO:<kevin@mydomain.com>
2005-07-05 15:04:09 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:08 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:08 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:08 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:08 69.15.227.198 QUIT mydomain.com
2005-07-05 15:11:09 69.15.227.198 EHLO +mydomain.com
2005-07-05 15:11:09 69.15.227.198 MAIL +FROM:<info@mydomain.com>
2005-07-05 15:11:09 69.15.227.198 RCPT +TO:<bob@mydomain.com>
2005-07-05 15:11:09 69.15.227.198 QUIT mydomain.com
2005-07-05 15:14:03 207.210.66.99 EHLO +mail1.smokingsuniversalit
2005-07-05 15:14:03 207.210.66.99 MAIL +FROM:<bounce-alq1wz5fa5sv
2005-07-05 15:14:03 207.210.66.99 RCPT +TO:<katief@mydomain.com>
2005-07-05 15:14:03 207.210.66.99 BDAT +<GXNKTXRZGWS22RG7DC3F.@ma
2005-07-05 15:14:03 207.210.66.99 QUIT mail1.smokingsuniversality
2005-07-05 15:16:31 209.50.234.167 HELO +boj.livebydesigns.com
2005-07-05 15:16:40 209.50.234.167 MAIL +FROM:<29-23138029-mydomai
2005-07-05 15:16:55 209.50.234.167 RCPT +TO:<ritae@mydomain.com>
2005-07-05 15:17:41 192.107.41.53 - 220-iglou.com+ESMTP+Tue,+0
Of course the only account that is valid is the ritae@mydomain.com and katief@mydomain.com
Everything else is bogues. Any suggestions as what to do is appreciated.
Thanks
ASKER
No information above is valid for my info. I have a private IP range which doesn't show up on there. That's just a section that I cut out from the log file that looked weird.
Kevin
Kevin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Phil,
None of the IP's were replaced that were mine. The only thing that was replaced was mydomain.com.
Ritae and katief are actualy valid email account names, but they are just aliases though.
Running Windows 2003 Enterprise with Exchange Server 2003 Enterprise.
I also have GFI ME and GFI Security on the Exchange on SMTP mode as well.
I did go to the system manager/protocols/smtp/vir tual smtp server and under authentication unchecked anonymous and used integrated windows authentication, but boy that sure didn't go well, I didn't realize that nobody outside our domain would be able to send us email.
When you say (set your mail server to perform domain name lookups on connecting mail servers (this stops fraudulent domains from sending from a hijacked Wifi network) do you mean check the box under the smtp/virtual smtp server/authentication/reso lve dns names I believe right under the anonymous access?
I'll take a look at those links you gave me.
When you say an smtp connector, is this created by default in the excahange 2003 system manager?
Thanks,
Kevin
None of the IP's were replaced that were mine. The only thing that was replaced was mydomain.com.
Ritae and katief are actualy valid email account names, but they are just aliases though.
Running Windows 2003 Enterprise with Exchange Server 2003 Enterprise.
I also have GFI ME and GFI Security on the Exchange on SMTP mode as well.
I did go to the system manager/protocols/smtp/vir
When you say (set your mail server to perform domain name lookups on connecting mail servers (this stops fraudulent domains from sending from a hijacked Wifi network) do you mean check the box under the smtp/virtual smtp server/authentication/reso
I'll take a look at those links you gave me.
When you say an smtp connector, is this created by default in the excahange 2003 system manager?
Thanks,
Kevin
ASKER
OH, I was able to actually login to the server using telnet IP 25 and do the helo and mail from: anyuser@mydomain.com and send it as a spoof. I tried outside our network but I was unable to even connect to the server which i'm glad :)
Kevin
Kevin
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out the MS link I sent and search "Protecting Against Address Spoofing."
It will walk you through the right settings to prevent Exchange 2003 from resolving anonymous e-mail messages.
Additionally, the Win2k3 Exchange guide will walk you through the best practices for hardening your mail server.
Good luck!
It will walk you through the right settings to prevent Exchange 2003 from resolving anonymous e-mail messages.
Additionally, the Win2k3 Exchange guide will walk you through the best practices for hardening your mail server.
Good luck!
ASKER
Thanks guys, i've split the points. I've got enough information I believe so far. Actually the exchange server is in a DMZ and besides creating the SMTP connector all the other practices were already in place. I'm assuming exchange being in a DMZ has a lot to do with this though.
Kevin
Kevin
*Reminder, that this is a public board...your info is now on the Net.