Solved

Exchange server getting hammered with Taiwan spam

Posted on 2006-11-12
6
1,130 Views
Last Modified: 2012-05-05
My SMTP server is constantly getting taking offline.  I am using Exchange Server 2003 SP2 and Windows Server 2003 SP1.  I keep getting a queue to yahoo.com.tw with ~90,000 emails in it in the RETRY state.  Also there is usually about a dozen other .tw domains with a few hundred queued e-mails in each.  

I have already gone through this document http://www.amset.info/exchange/spam-cleanup.asp.  I am not open for relay from oustide of my subnet.  This is not an NDR attack as I do not see any e-mails sent from postmaster, and I have also enabled recipient filtering.  This is not an authenticated user sending out spam.

Here are a couple of the senders I can see in the yahoo.com.tw queue:

=?big5?B?obSm4qlmqWay5qX6pfqhtA==?= <Sean_Sara852@ms10.url.com.tw>
=?big5B?obSk0ajPpKe3UqG0?= <Joshua_Jessica258@sina.com.tw>
=?bib5?B?obSnS7ZPZaldsaGhtA==?= <Garrett_Melanie56@yahoo.com.tw>


Also, I have turned up a bunch of the logging through Exchange and I am seeing a bunch of Warnings from MSExchangeTransport like the following:

This is an SMTP protocol warning log for virtual server ID 1, connection #319. The remote host "203.188.197.10", responded to the SMTP command "mail" with "451 Timeout waiting for command, terminating connection.  ". The full command sent was "MAIL FROM:<Seth_Allison258@yahoo.com.tw> SIZE=1039  ".  This may cause the connection to fail.



And MSExchangeTransport is also spitting out a bunch of errors like these:

This is an SMTP protocol log for virtual server ID 1, connection #359. The client at "24.164.20.75" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo http://mail.oldartero.com:8888/cgi-bin/put".  This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #373. The client at "202.76.167.167" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "ehlo |".  This will probably cause the connection to fail.



I have tried just blocking the IPs that are making these warnings and errors, but there are just too many....they keep coming, i've blocked a dozen of them.


I have just enabled logging on the actual SMTP server, so I will post anything suspicious in there as well.  It seems to me that these spammers may have found a way to buffer overflow the SMTP server and write to the queue directory??  I do not know what is going on.  Help!



0
Comment
Question by:ryandale56
  • 3
  • 2
6 Comments
 
LVL 26

Expert Comment

by:Vahik
ID: 17928923
do u do buiness with twiwan....if not ...why dont u block TWIWAN....

when i setup a new exchange .....i block everything....and i mean everything.....and open up when needed and requested....the same principle as a firewall setup....everything is blocked.....i even block my own domain from incomming.....specially if mobile users do not insist sending through exchange smtp.......even when they insist i insist they use OWA....
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17928944
If you are server is being attacked there are only three ways that the attack can be made...

- NDR
- open relay
- authenticated relay.

There are no other ways that a spammer can attack your server.

Have you turned off authenticated relaying totally? If not, do so. You will then need to restart the SMTP service to break the connections.
You should probably pull the server off the internet as well and get it cleaned up.

If you have any relay settings at all set, then disable them. IP address anything like that. Flush them out and ensure that it is set to Only the list below and that the list is blank.

If either of the above impacts your business you will have to live with that. An attack means that drastic measures have to be made.

Simon.

0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931090
Sembee,

I know for a fact its not open relay or NDR.  So that means it must be authenticated relay, but why don't my logs show an authentication happening around the same time the spam starts to hit my server hard?  I have turned the MSExchangeTransport logs to maximum and I do see authentication logs, but I do not see anybody authenticating from an unknown computer.  And I also do not see anybody authenticating near or around the same time I see the spam connections coming in.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 6

Author Comment

by:ryandale56
ID: 17931091
this is weird.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17931115
Have you turned off authenticated relaying?
Have you changed the administrator password?

The administrator account is the one that is normally attacked.

Simon.
0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931186
I just turned off authentication all together..... also I am blocking Taiwan subnets.  I'm still not convinced this was an authentication relay attack because the logs don't show that....  but thanks for the help.


ryan
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now