Solved

Exchange server getting hammered with Taiwan spam

Posted on 2006-11-12
6
1,162 Views
Last Modified: 2012-05-05
My SMTP server is constantly getting taking offline.  I am using Exchange Server 2003 SP2 and Windows Server 2003 SP1.  I keep getting a queue to yahoo.com.tw with ~90,000 emails in it in the RETRY state.  Also there is usually about a dozen other .tw domains with a few hundred queued e-mails in each.  

I have already gone through this document http://www.amset.info/exchange/spam-cleanup.asp.  I am not open for relay from oustide of my subnet.  This is not an NDR attack as I do not see any e-mails sent from postmaster, and I have also enabled recipient filtering.  This is not an authenticated user sending out spam.

Here are a couple of the senders I can see in the yahoo.com.tw queue:

=?big5?B?obSm4qlmqWay5qX6pfqhtA==?= <Sean_Sara852@ms10.url.com.tw>
=?big5B?obSk0ajPpKe3UqG0?= <Joshua_Jessica258@sina.com.tw>
=?bib5?B?obSnS7ZPZaldsaGhtA==?= <Garrett_Melanie56@yahoo.com.tw>


Also, I have turned up a bunch of the logging through Exchange and I am seeing a bunch of Warnings from MSExchangeTransport like the following:

This is an SMTP protocol warning log for virtual server ID 1, connection #319. The remote host "203.188.197.10", responded to the SMTP command "mail" with "451 Timeout waiting for command, terminating connection.  ". The full command sent was "MAIL FROM:<Seth_Allison258@yahoo.com.tw> SIZE=1039  ".  This may cause the connection to fail.



And MSExchangeTransport is also spitting out a bunch of errors like these:

This is an SMTP protocol log for virtual server ID 1, connection #359. The client at "24.164.20.75" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo http://mail.oldartero.com:8888/cgi-bin/put".  This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #373. The client at "202.76.167.167" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "ehlo |".  This will probably cause the connection to fail.



I have tried just blocking the IPs that are making these warnings and errors, but there are just too many....they keep coming, i've blocked a dozen of them.


I have just enabled logging on the actual SMTP server, so I will post anything suspicious in there as well.  It seems to me that these spammers may have found a way to buffer overflow the SMTP server and write to the queue directory??  I do not know what is going on.  Help!



0
Comment
Question by:ryandale56
  • 3
  • 2
6 Comments
 
LVL 26

Expert Comment

by:Vahik
ID: 17928923
do u do buiness with twiwan....if not ...why dont u block TWIWAN....

when i setup a new exchange .....i block everything....and i mean everything.....and open up when needed and requested....the same principle as a firewall setup....everything is blocked.....i even block my own domain from incomming.....specially if mobile users do not insist sending through exchange smtp.......even when they insist i insist they use OWA....
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17928944
If you are server is being attacked there are only three ways that the attack can be made...

- NDR
- open relay
- authenticated relay.

There are no other ways that a spammer can attack your server.

Have you turned off authenticated relaying totally? If not, do so. You will then need to restart the SMTP service to break the connections.
You should probably pull the server off the internet as well and get it cleaned up.

If you have any relay settings at all set, then disable them. IP address anything like that. Flush them out and ensure that it is set to Only the list below and that the list is blank.

If either of the above impacts your business you will have to live with that. An attack means that drastic measures have to be made.

Simon.

0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931090
Sembee,

I know for a fact its not open relay or NDR.  So that means it must be authenticated relay, but why don't my logs show an authentication happening around the same time the spam starts to hit my server hard?  I have turned the MSExchangeTransport logs to maximum and I do see authentication logs, but I do not see anybody authenticating from an unknown computer.  And I also do not see anybody authenticating near or around the same time I see the spam connections coming in.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 6

Author Comment

by:ryandale56
ID: 17931091
this is weird.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17931115
Have you turned off authenticated relaying?
Have you changed the administrator password?

The administrator account is the one that is normally attacked.

Simon.
0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931186
I just turned off authentication all together..... also I am blocking Taiwan subnets.  I'm still not convinced this was an authentication relay attack because the logs don't show that....  but thanks for the help.


ryan
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange 2016 OWA attachment issues 4 47
Exchange 2010 Edge subscription question 1 28
Exchange 2007 6 24
Mail not being received 19 29
Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question