[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

Using Exchange connection to send spam

Hi Experts,

One of our customers had a small issue with an bringing an infected laptop onto their network. It appears that it sent out a bit of spam.  In response we've adjusted visitor access and have modified a number of firewall policies. One thought did occur to me though. Is it possible for a virus/malware application to use the mail account for exchange and route it's garbage mail through the exchange server?

Another way to ask this, is if the user logs into the domain when he/she signs into their account, are they considered an authenticated user to the exchange server in respects for relaying?

Thanks,
Pete Hanson
UAR
0
upandrun3
Asked:
upandrun3
1 Solution
 
SembeeCommented:
I would be surprised if the spam message went through your Exchange server. I have never seen spam go through Exchange that way before.

What probably happened was the infected machine has its own SMTP engine and sent the messages out that way. If you only have a single IP address then the message would appear to come from your site.

The best way to deal with this is to block port 25 (SMTP) for the entire network. If an infected machine tries to connect to the outside world then it will fail and fill up the event logs on your firewall.

As for authenticated relaying, connecting to the network does not allow relaying over the SMTP interface of Exchange, unless your Exchange server is configured to allow relaying based on IP address (which is a bad idea).
The client machine would still have to authenticate to send its messages.

A MAPI connection is something very different and I haven't seen a piece of malware use a MAPI connection to send its messages (not that they don't exist - but there would be little point as MAPI is mainly a business service and most compromised machines are at home).

Simon.
0
 
upandrun3Author Commented:
Hi Simon,

Thanks for the reply.

That's what I was figuring, just wanted to get another experts opinion on the possibility. I've already locked down the router to prevent communication over port 25.

Thanks,
Pete
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now