• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1229
  • Last Modified:

Exchange server getting hammered with Taiwan spam

My SMTP server is constantly getting taking offline.  I am using Exchange Server 2003 SP2 and Windows Server 2003 SP1.  I keep getting a queue to yahoo.com.tw with ~90,000 emails in it in the RETRY state.  Also there is usually about a dozen other .tw domains with a few hundred queued e-mails in each.  

I have already gone through this document http://www.amset.info/exchange/spam-cleanup.asp.  I am not open for relay from oustide of my subnet.  This is not an NDR attack as I do not see any e-mails sent from postmaster, and I have also enabled recipient filtering.  This is not an authenticated user sending out spam.

Here are a couple of the senders I can see in the yahoo.com.tw queue:

=?big5?B?obSm4qlmqWay5qX6pfqhtA==?= <Sean_Sara852@ms10.url.com.tw>
=?big5B?obSk0ajPpKe3UqG0?= <Joshua_Jessica258@sina.com.tw>
=?bib5?B?obSnS7ZPZaldsaGhtA==?= <Garrett_Melanie56@yahoo.com.tw>


Also, I have turned up a bunch of the logging through Exchange and I am seeing a bunch of Warnings from MSExchangeTransport like the following:

This is an SMTP protocol warning log for virtual server ID 1, connection #319. The remote host "203.188.197.10", responded to the SMTP command "mail" with "451 Timeout waiting for command, terminating connection.  ". The full command sent was "MAIL FROM:<Seth_Allison258@yahoo.com.tw> SIZE=1039  ".  This may cause the connection to fail.



And MSExchangeTransport is also spitting out a bunch of errors like these:

This is an SMTP protocol log for virtual server ID 1, connection #359. The client at "24.164.20.75" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo http://mail.oldartero.com:8888/cgi-bin/put".  This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #373. The client at "202.76.167.167" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "ehlo |".  This will probably cause the connection to fail.



I have tried just blocking the IPs that are making these warnings and errors, but there are just too many....they keep coming, i've blocked a dozen of them.


I have just enabled logging on the actual SMTP server, so I will post anything suspicious in there as well.  It seems to me that these spammers may have found a way to buffer overflow the SMTP server and write to the queue directory??  I do not know what is going on.  Help!



0
ryandale56
Asked:
ryandale56
  • 3
  • 2
1 Solution
 
VahikCommented:
do u do buiness with twiwan....if not ...why dont u block TWIWAN....

when i setup a new exchange .....i block everything....and i mean everything.....and open up when needed and requested....the same principle as a firewall setup....everything is blocked.....i even block my own domain from incomming.....specially if mobile users do not insist sending through exchange smtp.......even when they insist i insist they use OWA....
0
 
SembeeCommented:
If you are server is being attacked there are only three ways that the attack can be made...

- NDR
- open relay
- authenticated relay.

There are no other ways that a spammer can attack your server.

Have you turned off authenticated relaying totally? If not, do so. You will then need to restart the SMTP service to break the connections.
You should probably pull the server off the internet as well and get it cleaned up.

If you have any relay settings at all set, then disable them. IP address anything like that. Flush them out and ensure that it is set to Only the list below and that the list is blank.

If either of the above impacts your business you will have to live with that. An attack means that drastic measures have to be made.

Simon.

0
 
ryandale56Author Commented:
Sembee,

I know for a fact its not open relay or NDR.  So that means it must be authenticated relay, but why don't my logs show an authentication happening around the same time the spam starts to hit my server hard?  I have turned the MSExchangeTransport logs to maximum and I do see authentication logs, but I do not see anybody authenticating from an unknown computer.  And I also do not see anybody authenticating near or around the same time I see the spam connections coming in.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
ryandale56Author Commented:
this is weird.
0
 
SembeeCommented:
Have you turned off authenticated relaying?
Have you changed the administrator password?

The administrator account is the one that is normally attacked.

Simon.
0
 
ryandale56Author Commented:
I just turned off authentication all together..... also I am blocking Taiwan subnets.  I'm still not convinced this was an authentication relay attack because the logs don't show that....  but thanks for the help.


ryan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now