Solved

Exchange server getting hammered with Taiwan spam

Posted on 2006-11-12
6
1,097 Views
Last Modified: 2012-05-05
My SMTP server is constantly getting taking offline.  I am using Exchange Server 2003 SP2 and Windows Server 2003 SP1.  I keep getting a queue to yahoo.com.tw with ~90,000 emails in it in the RETRY state.  Also there is usually about a dozen other .tw domains with a few hundred queued e-mails in each.  

I have already gone through this document http://www.amset.info/exchange/spam-cleanup.asp.  I am not open for relay from oustide of my subnet.  This is not an NDR attack as I do not see any e-mails sent from postmaster, and I have also enabled recipient filtering.  This is not an authenticated user sending out spam.

Here are a couple of the senders I can see in the yahoo.com.tw queue:

=?big5?B?obSm4qlmqWay5qX6pfqhtA==?= <Sean_Sara852@ms10.url.com.tw>
=?big5B?obSk0ajPpKe3UqG0?= <Joshua_Jessica258@sina.com.tw>
=?bib5?B?obSnS7ZPZaldsaGhtA==?= <Garrett_Melanie56@yahoo.com.tw>


Also, I have turned up a bunch of the logging through Exchange and I am seeing a bunch of Warnings from MSExchangeTransport like the following:

This is an SMTP protocol warning log for virtual server ID 1, connection #319. The remote host "203.188.197.10", responded to the SMTP command "mail" with "451 Timeout waiting for command, terminating connection.  ". The full command sent was "MAIL FROM:<Seth_Allison258@yahoo.com.tw> SIZE=1039  ".  This may cause the connection to fail.



And MSExchangeTransport is also spitting out a bunch of errors like these:

This is an SMTP protocol log for virtual server ID 1, connection #359. The client at "24.164.20.75" sent a "helo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "helo http://mail.oldartero.com:8888/cgi-bin/put".  This will probably cause the connection to fail.

This is an SMTP protocol log for virtual server ID 1, connection #373. The client at "202.76.167.167" sent a "ehlo" command, and the SMTP server responded with "501 5.5.4 Invalid Address  ". The full command sent was "ehlo |".  This will probably cause the connection to fail.



I have tried just blocking the IPs that are making these warnings and errors, but there are just too many....they keep coming, i've blocked a dozen of them.


I have just enabled logging on the actual SMTP server, so I will post anything suspicious in there as well.  It seems to me that these spammers may have found a way to buffer overflow the SMTP server and write to the queue directory??  I do not know what is going on.  Help!



0
Comment
Question by:ryandale56
  • 3
  • 2
6 Comments
 
LVL 26

Expert Comment

by:Vahik
ID: 17928923
do u do buiness with twiwan....if not ...why dont u block TWIWAN....

when i setup a new exchange .....i block everything....and i mean everything.....and open up when needed and requested....the same principle as a firewall setup....everything is blocked.....i even block my own domain from incomming.....specially if mobile users do not insist sending through exchange smtp.......even when they insist i insist they use OWA....
0
 
LVL 104

Expert Comment

by:Sembee
ID: 17928944
If you are server is being attacked there are only three ways that the attack can be made...

- NDR
- open relay
- authenticated relay.

There are no other ways that a spammer can attack your server.

Have you turned off authenticated relaying totally? If not, do so. You will then need to restart the SMTP service to break the connections.
You should probably pull the server off the internet as well and get it cleaned up.

If you have any relay settings at all set, then disable them. IP address anything like that. Flush them out and ensure that it is set to Only the list below and that the list is blank.

If either of the above impacts your business you will have to live with that. An attack means that drastic measures have to be made.

Simon.

0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931090
Sembee,

I know for a fact its not open relay or NDR.  So that means it must be authenticated relay, but why don't my logs show an authentication happening around the same time the spam starts to hit my server hard?  I have turned the MSExchangeTransport logs to maximum and I do see authentication logs, but I do not see anybody authenticating from an unknown computer.  And I also do not see anybody authenticating near or around the same time I see the spam connections coming in.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 6

Author Comment

by:ryandale56
ID: 17931091
this is weird.
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 17931115
Have you turned off authenticated relaying?
Have you changed the administrator password?

The administrator account is the one that is normally attacked.

Simon.
0
 
LVL 6

Author Comment

by:ryandale56
ID: 17931186
I just turned off authentication all together..... also I am blocking Taiwan subnets.  I'm still not convinced this was an authentication relay attack because the logs don't show that....  but thanks for the help.


ryan
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now