?
Solved

sudden SPAM and bounce email attack?

Posted on 2007-07-28
6
Medium Priority
?
463 Views
Last Modified: 2008-03-10
Getting a ton of SPAM and bounces, around 10 a minute for User A.  This influx started at 9:01pm last evening.

I am using SBS 2003 R2 with SP2 running exchange but no SQL or ISA.

in the security event logs, it shows User B "account logon" event 680 at 9:00:56pm last night, and "logon/logoff" event 540 at the same time (9:00:56).  it then shows, at one second later (9:00:57), "logon/logoff" event 538, "account logon" event 680, and ""logon/logoff" event 540 all by User B from her workstation at home (which is where she uses outlook over RPC over HTTP).

When I looked at the Mailboxes list under Mailbox Store in Exchange, it showed that this account (User A's account) was "last logged on by" another user (User B) at 4:02am this morning.  It also shows that User B logged onto her own User B's account at the same time.  there is no possiblity that that user logged on at that time.  She does use RPC over HTTP for email, but does not VPN into the server.

looking at the event logs for application, i see an "RPC Proxy" source, "startup" category, event ID 3, at 4:02:28am this morning.  all it says is "RPC Proxy successfully loaded in Internet Information Services (IIS) mode 6.0".  googling this found nothing.

What all is going on here?
0
Comment
Question by:fl4ian
  • 3
  • 3
6 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 2000 total points
ID: 19585565
You cannot rely on user logins to show what is actually happened. A user can be showed as logging in to an account simply by looking up that user's calendar.

The RPC Proxy message is perfectly normal. That will not point to anything suspicious. That is why you didn't find anything in Google - it is a regular message, not an error.

You haven't actually said anything else about the first line of your question. From what I can see, the rest of the question is about what I would consider to be regular events on an Exchange server, certainly nothing to be worried about.

Simon.
0
 

Author Comment

by:fl4ian
ID: 19586624
thank you for the reassurance, sembee.  all of the messages all bouncing from one old domain that the company has, and User A is the catch-all account for that old domain.  So, taking User A off as catch-all should all but elminate this problem I would think.

But the greater question is why is this happening, and what can I do in the future to prevent it from happening again?
0
 
LVL 104

Expert Comment

by:Sembee
ID: 19588958
Still not sure what you are actually asking.

You said: "But the greater question is why is this happening, and what can I do in the future to prevent it from happening again?"

Why is what happening? You haven't actually said what is occurring apart from the first line in your original question. That line is basically as good as walking up to a mechanic and saying that your car will not start and expecting him to diagnose the problem from that information alone.

Simon.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 

Author Comment

by:fl4ian
ID: 19589078
i'm looking for the reasons for the sudden influx of mail for User A.  I'm assuming that it is someone else acting as a spam relay, but I want to make sure that I haven't done anything that would make it easy for this to happen with a domain that they ARE using.  in other words, protection against this suddent influx of spam and bounces.

i'm not sure if i've given you any more info than before...
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 2000 total points
ID: 19589337
There can be many number of reasons why the amount of spam that is received by that user has gone up, most of them for reasons that are outside of your control.
If that user is a catch all for a domain and a spammer decides to attempt a directory harvest attack or simply sending spam to every variant of email address that is possible in their directory, then the user will get lots of spam. That is because with a catch all account no email address is invalid. Catch all mailboxes should not be used these days and if you are using one you should consider changing that policy. Instead specific email addresses only should be used then recipient filtering configured to control what email the server accepts. I have sites that drop 10,000 misaddressed email messages a day.

Simon.
0
 

Author Comment

by:fl4ian
ID: 19590139
For my knowledge, even though I know that for the most part they ARE out of my control, what are the most common reasons that I'd see a sudden influx of spam and bounces (beside the directory harvest)?
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question