• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2482
  • Last Modified:

Domain computer infected - sending out spam using our mail server

We suspect a computer in our Windows 2003 domain to be infected by a worm, and sending out spam using our Exchange mail server.

Because of this, our mail server's IP is being listed on the spam lists.
But, since everyone in our company uses the domain mail server, also most of our normal e-mail is blocked.

Instead of going to every single computer in our company (about 50 computers),
is there a way on the Exchange mail server to see which computer in our domain is sending an unusual amount of e-mails?

0
raket
Asked:
raket
  • 5
  • 5
  • 2
  • +1
1 Solution
 
ATIGCommented:
you can look at the message tracking logs and look for high traffic from a user, or protocol logs etc......

also, check your queues you may catch messages in the oubound queue to see who the sender is, might help you narrrow down the machine.

0
 
raketAuthor Commented:
do you mean the Queue or Pickup folder?

The queue folder has about 260 spam messages that are trying to send (with dates between now and 2 days ago) from "postmaster@our domain.com"

Can this be the spam, that someone is trying to send spam from our postmaster address?
If yes, any way to stop / prevent this?
0
 
SembeeCommented:
It is not a machine on your domain that is sending spam.
Spammers do not attempt to send email via another server on the network, as that makes it easy to spot. All spam tools have their own SMTP stack and will attempt to send spam directly.

If the messages are from postmaster@ then you are the victim of NDR spam.
It isn't clear which version of Exchange you are using, but if it is Exchange 2003 on Windows 2003 then you can use the recipient filtering and tar pit option to stop this form of abuse.
To clean up the server, see my clean up article here: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
drawlinCommented:
I bow to Sembee.  He is correct, it's a reverse DNR attack.  His solution will work.  Additionally, if your firewall allows, restrict all outbound TCP port 25 traffic to the IP of your mail server.... or anti-spam server if you have one and have it configured as a smart host.
0
 
raketAuthor Commented:
I followed the steps in Sembee's article, but we still keep getting listed on spam lists.

Mainly CBL and SpamCop.
http://www.senderbase.org/senderbase_queries/detailip?search_string=216.110.51.149&show_rbl=1

We are desperate, since we don't know what to do...

Our online spam filter is Postini. Our e-mail MX sends all incoming e-mail to the Postini spam filter, and Postini sends everything to our local Exchange server. Our Exchange server is (I think) correctly configured to only accept e-mail from the Postini server, and in addition to only send all outgoing e-mail to the Postini filter.

Our spam problem is clearly our server sending it ... the incoming spam filtering is OK.

I don't know if
1) other people (outside of our domain) are able to use our Exchange server to send out spam. How do I definitely check this? I think relaying is denied (for example, telnet to port 25 doesn't work), but I want to make sure that this possibility is gone.
or
2) if the problem is with Postini not checking our  outgoing e-mails. The postini server is setup as a smart host in the SMTP job.

Advice ???



0
 
SembeeCommented:
If Postini are dealing with your incoming email then have you restricted the SMTP virtual server or SMTP access on the firewall to just allow Postini to access the server?

Have you changed your administrator password?
Have you blocked port 25 for everything but the Exchange server.
If you set a false smart host [99.999.99.999] for example, then wait, email should stack up. Is it all legitimate email?

Simon.
0
 
raketAuthor Commented:
The administrator password is the same as before; only the IT admin (me) knows this.

I will check into the firewall config to see,
0
 
SembeeCommented:
The fact that you know it and no one else does it not an indication that it hasn't been compromised. If you haven't changed it then I would suggest that you do. Attacks on the administrator account are very common for this reason.

Simon.
0
 
drawlinCommented:
I'm not familiar with your Anti-SPAM server, but if it's configured properly, it should be just as effective as other spam filters that I am familiar with.  At your firewall only allow incomming and outgoing port 25 traffic to go to and come from the IP of your anti-SPAM server.  set your exchange server to use the anti-spam server as a smart host and turn off smtp relay.  (Not on by default)  Make sure your anti-spam server is scanning outgoing email for spam as well as incomming.  

Lastly.  If you are on blacklists, you may have to visit the various blacklist websites to request to be removed.
0
 
raketAuthor Commented:
We are still listed as spammers :(

This is an example of a spam e-mail that was apparently sent through our server.
Our server is [216.110.51.149] (helo=216-110-51-149.static.twtelecom.net)

Any idea???

---------------------
From pdasl@27deanfield.freeserve.co.uk Thu Jul 26 13:09:28 2007
Delivery-date: Thu, 26 Jul 2007 13:09:28 -0400
Received: from [216.110.51.149] (helo=216-110-51-149.static.twtelecom.net)
by rohan.surriel.com with smtp (Exim 4.63)
(envelope-from <pdasl@27deanfield.freeserve.co.uk>)
id 1IE6q8-00011B-Gc
for victim@smtp.example; Thu, 26 Jul 2007 13:09:28 -0400
Received: from qj.wsk ([62.43.230.96]) by 216-110-51-149.static.twtelecom.net with Microsoft SMTPSVC(5.0.2195.5329); Thu, 26 Jul 2007 12:12:16 -0500
From: "riversongs.com" <pdasl@27deanfield.freeserve.co.uk>
To: <victim@smtp.example>
Subject: You've received an ecard from a School mate!
Date: Thu, 26 Jul 2007 12:12:16 -0500
MIME-Version: 1.0
        format=flowed;
        charset="Windows-1252";
        reply-type=original

Hi. School mate has sent you an ecard.
See your card as often as you wish during the next 15 days.

SEEING YOUR CARD

If your email software creates links to Web pages, click on your  
card's direct www address below while you are connected to the Internet:

http://66.16.201.42

Or copy and paste it into your browser's "Location" box (where Internet  
addresses go).

We hope you enjoy your awesome card.

Wishing you the best,
Administrator,
riversongs.com
________________________________________
0
 
SembeeCommented:
There is nothing in there to show that it is Exchange sending out the messages.
Therefore it is an infected machine inside your network that is sending out the email directly.
Have you blocked the port 25 traffic on your firewall?

Although that message you have posted above is almost two weeks old. If someone has just reported that then it shouldn't have caused a blacklisting because of its age.

Simon.
0
 
raketAuthor Commented:
Our server and/or network is still sending out spam ...
We're scanning all the computers with Symantec antivirus and Lavasoft Ad-Aware.

Sembee, what do you mean with blocking that port?
Then also our Exchange will not be able to send; how do I then tell what's going on?
How can I, on the server, monitor to see which computer (IP) in our domain is sending out the e-mails?
0
 
SembeeCommented:
If you have a machine on your network sending out spam, then it will quickly show in the logs of the firewall when you close port 25. You have to stop Exchange to stop the false positives, or you have to create an exception. It depends on how the firewall works and what it is capable of.

There is nothing you can do on the server to monitor the traffic using native tools, because the traffic is not going through the server.

As for thinking that Symantec is protecting you... well that is misguided.
Think like a malware writer. You don't want you product to be detected. So what do you test it against? The biggest AV application on the market (note I said biggest, not best).

Simon.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 5
  • 5
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now