Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 404
  • Last Modified:

Email Account being hijacked

Hi everyone,

We're running an exchange server here. I noticed the other day that the administrator email account is blasting out emails to random email addresses for the domain, like "jack@ourdomain.com, sue@ourdomain.com, mark@ourdomain.com, etc..." They are bogus addresses and are thus being returned as undeliverable. The emails vary in subject but are usually "Your password has been successfully updated" or "Your Account is suspended for Security Reasons". The attachment is always a zip file with a definite virus embedded. Zip file name is "important-details.zip". I've scanned with everything I have and poured over all of the stores. i can't find where this is originating from. I'd imagine it is a virus that's launching these emails. I attempted to change the administrator password to no avail. Anyone have any ideas?

Thanks
0
msheppard74
Asked:
msheppard74
  • 10
  • 6
  • 4
  • +2
4 Solutions
 
Roshan25Commented:
this sounds more like a virus.
Does your administrator need and email address?
If not I suggest you not have and email account on the administrator account.
and if you have an enterprise AV solution, look at that and see where you are infected. I have see this before and users with admin access was sending out email as the administrator.
0
 
msheppard74Author Commented:
I agree that it's a virus, without a doubt. We're running McAfee Antivrius 8.0. I've run scans and nothing comes up. I could disable the email for the administrator account. I'd rather find the source of the problem though. As the virus will still be local at that point and could infect other accounts.
0
 
Jejin JosephCommented:
These are result of Reverse NDR Attack someone outside your network is doing. Its a kind of SPAM mail in which Spammers send mails with infected attachments to bogus address with spoofed senders addresses pointing to your domain users.

http://www.praetor.net/praetor/WebHelpG2/zAppendix_B_-_Message_tests/Thwarting_reverse_NDR_attacks.htm

http://forum.spamcop.net/forums/lofiversion/index.php/t554.html

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
SembeeCommented:
How are you detecting these messages?
I bet they are coming in from outside. If your clients are getting the messages, then get on to one of their machines and see if there are any SMTP headers. If there are, then the message has come from outside.

It is almost certainly a virus, that has probably infected a machine outside of your network. I would be surprised if the virus is inside your network, as it is very unusual for viruses to attack their own networks - mainly due to the fact that the emails cannot be delivered.

Shutting of the administrator@ email address on your domain will have no effect on these messages, and may actually effect the operation of Exchange, so you shouldn't bother with that.

Do you have an AV software on the Exchange server itself - I mean actual Exchange AV? If not, then it might be time to get some.

Simon.
0
 
oldhammbcCommented:
if your emails are being sent out via your exchange sever then you could stop all outbound email and look in the mail queue.

If you go to the queue directory (usually drive:\program files\exchsrvr\mailroot\vsi 1\queue) but be careful DO NOT DOUBLE CLICK THE MESSAGES!! (they could open in outlook and infect your sever with the virus) open the files one by one in note pad till you can find one of the offending messages, when you find one you should be able to see the originating IP address in the headers which should allow you to track down the culprit machine!

Cheers

Dave J
0
 
Roshan25Commented:
Try something like Symantec or Antigen...
what is your exchange look like?
Front end server and Back End server....
if you have a front end I would make sure I have an exchange away smtp AV there to scan in and outbound email, which will take the load off the Mailbox server....
0
 
msheppard74Author Commented:
I'm looking at the queue's and there are like 15+ that are questionable looking.  "fitnessgoal.net" "netsiam.com" "ibtgorhv.com"...this is all spam no? They are all SMTP Connections. I've frozen them all just in case.
0
 
msheppard74Author Commented:
The only account getting these NDR's are the administrator account. It's about 3 or 4 a day.
0
 
oldhammbcCommented:
That sounds like the ones but if you look in all the jargon (when its open in notepad) at the top the should be a connecting ip address showing where the email originated from. from that you should be able to find the culprit machine!

Cheers
0
 
msheppard74Author Commented:
So far in the queue "drive:\program files\exchsrvr\mailroot\vsi 1\queue" there aren't any messages to the administrator account in there. So I can't tell yet.
0
 
SembeeCommented:
I haven't seen a virus yet that uses another SMTP server to spread their messages. Most of the modern viruses use their own SMTP engine to spread. If you think you have an infection internally then you can easily smoke them out by blocking port 25 on the firewall for everything except the Exchange server then watching the logs.

If this is Exchange 2003 on Windows 2003 then you could also filter out unknown users, which will block a lot of garbage messages as well. http://www.amset.info/exchange/filter-unknown.asp

Simon.
0
 
msheppard74Author Commented:
OK Sembee, I've enabled your suggestion. It is indeed Exchange 2003 on Server 2003 with SP1, so there shouldn't be a problem with tar pitting. I'll try that first. Then if that fails I will attempt to block port 25 for all but exchange. I'll keep you posted.

Thanks
0
 
Roshan25Commented:
I think you sould block port 25 for all except frontend / backend server regardless. This will prevent users to go out and connect to other mails services and rogue smtp engines from the inside to send email out as your firm; preventing your domain from getting black list.
0
 
msheppard74Author Commented:
Ah, I do have a user who is actually receiving these emails. They are not NDR's they are addressed directly to him. He hasn't mentioned it, but I did some checking around to find that he has been receiving them. They are coming from bogus email addresses though "info@ourdomain.com" and "register@ourdomain.com" and "webmaster@ourdomain.com". The body is as follows.

"Dear user bjones,

You have successfully updated the password of your Ourdomain account.

If you did not authorize this change or if you need assistance with your account, please contact Ourdomain customer service at: info@ourdomain.com

Thank you for using Ourdomain!
The Ourdomain Support Team "


None of these domain specific things mention exist. Again the virus embedded zip file is attached.





+++ Attachment: No Virus (Clean)
+++ Antivirus - www.Antivirus.com 
0
 
Roshan25Commented:
This is coming from the outside.
0
 
SembeeCommented:
That is definitely a virus.
You need to get some Exchange AV to deal with those. I have used GFI Mail Security on some of my smaller sites. It is pretty cheap and works very well.

Simon.
0
 
msheppard74Author Commented:
Yes it's a virus, but do we all agree the email is orginating outside?
0
 
SembeeCommented:
I know it is coming from outside.

I haven't seen a virus use an internal Exchange server yet. How would the virus find the Exchange server? They all deliver by SMTP, but there are no SMTP settings on a standard Outlook installation for the virus to find and use.

Simon.
0
 
msheppard74Author Commented:
I'm not exactly sure how i can block port 25 on my firewall for everything except exchange. It looks like I can only block the port all together for certain services...UDP, TCP and so on. We use CheckPoint Safe@Office 225. Any advice?
0
 
Roshan25Commented:
you can create 2 rule....the first permit port 25 for the server you want to allow and the other will be a deny port 25 for any....outbound
0
 
msheppard74Author Commented:
I first tried creating a rule that allowed and forwarded any TCP traffic on port 25 to the server that hosts exchange. As soon as I did that, SMTP won't send or deliver anymore. I deleted that rule and the problem still exists.....sounds like the port is being blocked. What gives???
0
 
Roshan25Commented:
did you try restart your smtp service after deleting the rule?
0
 
msheppard74Author Commented:
I did and that did not work. In checkpoint, you have to change the security level from high to medium in order to refresh outgoing traffic on a rule. That cleared it up.

So, for the bulk of the questions about this topic I am going to award the majority of points to Sembee. That response has helped me eliminate the RNDR's all together.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 10
  • 6
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now