?
Solved

Exchange server getting hammered with Taiwan spam

Posted on 2006-11-12
6
Medium Priority
?
1,207 Views
Last Modified: 2012-05-05
My SMTP server is constantly getting taking offline.  I am using Exchange Server 2003 SP2 and Windows Server 2003 SP1.  I keep getting a queue to yahoo.com.tw with ~90,000 emails in it in the RETRY state.  Also there is usually about a dozen other .tw domains with a few hundred queued e-mails in each.  

I have already gone through this document http://www.amset.info/exchange/spam-cleanup.asp.  I am not open for relay from oustide of my subnet.  This is not an NDR attack as I do not see any e-mails sent from postmaster, and I have also enabled recipient filtering.  This is not an authenticated user sending out spam.

Here are a couple of the senders I can see in the yahoo.com.tw queue:

=?big5?B?obSm4qlmqWay5qX6pfqhtA==?= <Sean_Sara852@ms10.url.com.tw>
=?big5B?obSk0ajPpKe3UqG0?= <Joshua_Jessica258@sina.com.tw>
=?bib5?B?obSnS7ZPZaldsaGhtA==?= <Garrett_Melanie56@yahoo.com.tw>


Also, I have turned up a bunch of the logging through Exchange and I am seeing a bunch of Warnings from MSExchangeTransport like the following:

This is an SMTP protocol warning log for virtual server ID 1, connection #319. The remote host "203.188.197.10", responded to the SMTP command "mail" with "451 Timeout waiting for command, terminating connection.  ". The full command sent was "MAIL FROM:<Seth_Allison258@yahoo.com.tw> SIZE=1039  ".  This may cause the connection to fail.



And MSExchangeTransport is also spitting out a bunch of errors like these:

This is an SMTP protocol log for virtual server ID 1, connection #359. The client at "24.164.20.75" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo http://mail.oldartero.com:8888/cgi-bin/put".  This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #373. The client at "202.76.167.167" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "ehlo |".  This will probably cause the connection to fail.



I have tried just blocking the IPs that are making these warnings and errors, but there are just too many....they keep coming, i've blocked a dozen of them.


I have just enabled logging on the actual SMTP server, so I will post anything suspicious in there as well.  It seems to me that these spammers may have found a way to buffer overflow the SMTP server and write to the queue directory??  I do not know what is going on.  Help!



0
Comment
Question by:ryandale56
  • 3
  • 2
6 Comments
 
LVL 26

Expert Comment

by:Vahik
ID: 17928923
do u do buiness with twiwan....if not ...why dont u block TWIWAN....

when i setup a new exchange .....i block everything....and i mean everything.....and open up when needed and requested....the same principle as a firewall setup....everything is blocked.....i even block my own domain from incomming.....specially if mobile users do not insist sending through exchange smtp.......even when they insist i insist they use OWA....
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17928944
If you are server is being attacked there are only three ways that the attack can be made...

- NDR
- open relay
- authenticated relay.

There are no other ways that a spammer can attack your server.

Have you turned off authenticated relaying totally? If not, do so. You will then need to restart the SMTP service to break the connections.
You should probably pull the server off the internet as well and get it cleaned up.

If you have any relay settings at all set, then disable them. IP address anything like that. Flush them out and ensure that it is set to Only the list below and that the list is blank.

If either of the above impacts your business you will have to live with that. An attack means that drastic measures have to be made.

Simon.

0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931090
Sembee,

I know for a fact its not open relay or NDR.  So that means it must be authenticated relay, but why don't my logs show an authentication happening around the same time the spam starts to hit my server hard?  I have turned the MSExchangeTransport logs to maximum and I do see authentication logs, but I do not see anybody authenticating from an unknown computer.  And I also do not see anybody authenticating near or around the same time I see the spam connections coming in.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 6

Author Comment

by:ryandale56
ID: 17931091
this is weird.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 17931115
Have you turned off authenticated relaying?
Have you changed the administrator password?

The administrator account is the one that is normally attacked.

Simon.
0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931186
I just turned off authentication all together..... also I am blocking Taiwan subnets.  I'm still not convinced this was an authentication relay attack because the logs don't show that....  but thanks for the help.


ryan
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month16 days, 16 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question