Solved

Need help with Exchange - possible open relay

Posted on 2007-11-23
5
206 Views
Last Modified: 2010-03-06
I think my Exchange (SBS) server may be being used as an open relay or has been hacked (password guess). I have several messages in the outbound queue(s) to places that are "obviously" not something work related and very SPAM looking to say the least. This has happened before on another Exchange Server and I "fixed it" by changing the administrator password, deleting the messages from the queues and rebooting the server.

This time it's on another server (colleague of mine). Their server was pretty "default", so I created a new admin account and disabled the default "administrator", put a strong password on the new account, checked all the MS articles about verifying that the server is "locked down" so as not to be an open relay - the are locked down  - the server is NOT an open relay, but the messages are still flowing out. Not very many - probably less than 100 per day. The sender is "postmaster@theirdomain.com".

Is there any way to tell if a client computer in the office is sending these or if a user account has authenticated to Exchange to send these messages and which one it is. That is the only other thing I can think of. The guest account it disabled too FYI. I read the article on relaying and saw about setting up monitoring to check but no events matching that in the app log (1708 I believe).

Any suggestions would be appreciated - I told the guy to have all his users change their passwords. I am out of ideas at this point.

Thanks,

Jerry
0
Comment
Question by:djerryanderson
  • 3
  • 2
5 Comments
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 20339789
First thing I would suggest is undoing what you did with the administrator account. That is not something I recommend and will not slow down an attacker for more than about 20 seconds.

If the messages are postmaster@ then that is NDRs. Either OOTO messages to non existent domains or NDR spam. Easily stopped using recipient filtering and the tarpit.
http://www.amset.info/exchange/filter-unknown.asp

Simon.
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 20339910
OK, I feel like an idiot here. I setup recipient filtering in the Global Settings / "message delivery" but forgot to apply it at the virtual server level DUH!!!! I didn't mention that in my other post - that was another thing I had done before on my other Exchange server and had tried that here as well - just didn't finish the steps. I had a bunch of old notes from when that other server got hacked. I'll give it a shot and see if it clears up after the weekend.

Also, what is OOTO, and why do you not want the admin account disabled? I always heard that was "standard practice". Sorry for sounding like an idiot here. I am by no means an "expert" (no pun intended) especially with Exchange (again, no pun intended).
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 20340498
I jusr RDP'd over to that server an it looks to be fixed. Thanks.
0
 
LVL 104

Expert Comment

by:Sembee
ID: 20340557
I do not want the added complication of doing a disaster recovery on a server with a disabled admin account. The admin account is a very useful tool to have. I also don't tend to rename it, as it can be easily found again.
The only servers I rename it on are FTP servers, when I will create a standard account with the same name to give the script kiddies something to attack.

Simon.
0
 
LVL 1

Author Comment

by:djerryanderson
ID: 20340853
Cool...thanks for the help.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now