Solved

How to stop a spammer relaying fraud emails off of our server

Posted on 2008-10-19
31
315 Views
Last Modified: 2013-11-30
Guys, I am not sure where to start. Got a call from an ISP the other day that my customers email exchange server was relaying fraudalent emails, sounded threatening on the phone.

Open relay is not enabled on the server, so I believe we either have some kind of virus or an account has been compromised.

How can I see which account is sending emails out? Also, I have another big problem, the AV software on this system is NAV corporate, I hear that scanning Exchange servers is a dangerous thing withouth the proper AV, is this true?

thank you guys.
0
Comment
Question by:jaesoul
  • 9
  • 9
  • 5
  • +4
31 Comments
 
LVL 5

Expert Comment

by:mren08
ID: 22755054
NAV corporate is fine, you just need to exclude Exchange folders from scanning..

Don't know what version you're using but this article from Symantec should be some assistance:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005040513412648?Open&src=w

You should double-check your open relay status.. a good way to do this is using external tools like http://www.mxtoolbox.com..


0
 
LVL 4

Expert Comment

by:CDirenzi
ID: 22755108
Personally I think NAV does the best job for your particular problem.  As mren said, don't forget to exclude exchange folders.
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22755192
Hopefully you have "message tracking" enabled on the Exchange server. If you do, then you should ask the complaining ISP for some details regarding one of the fraudulant messages, ie. date/time stamp, to/from addresses, and subject line.  With that info you should be able to track the message back to the source.
What is the security on the Exchange server's Default SMTP Virtual Server?  Does it allow connection from any host and allow anonymous authentication?
0
 

Author Comment

by:jaesoul
ID: 22755202
Thanks guys, the NAV on there was installed by a previous vendor, and I do not have tha password to change the configuration - DOH! these guys really did a lack luster job. Is there any way to crack through this NAV corp password?


Thank you
0
 

Author Comment

by:jaesoul
ID: 22755208
aMan - I am kind of new to exchange, how do I check these settings?

TY
0
 
LVL 4

Expert Comment

by:CDirenzi
ID: 22755209
I've never tried it, but see if this helps with the password:
http://rokus.net/article42.html
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22755212
that is a separate question

There is absolutely no point in having ANY non-exchange aware anti-virus on an exchange server.

That said, confirm you are not an open relay, and make sure you are recipient filtering - other than that, ignore the request from the other ISP, if you are spamming, YOUR isp will contact you.

http://www.amset.info/exchange/spam-cleanup.asp
http://www.amset.info/exchange/filter-unknown.asp

Kieran
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22755221
I've used the command that CDirenzi posted and it works.
To check the security on the SMTP Virtual server you can use ESM.  Find the server and drill down to the Protocols folder and then under the SMTP folder find the Default SMTP Virtual Server. Check the configurations on the Access tab.
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22755236
I slightly  disagree with kieran b.  Your Exchange server could be infected with a file system virus that has nothing to do with Exchange and ends up taking down your server.  I recommend having both file system AV protection and email aware AV protection on the server, (i.e. Symantec AV Corp + Symantec Antivirus for Exchange)
0
 

Author Comment

by:jaesoul
ID: 22755263
Hmm ok, Do you guys recommend I do all of this after hours?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22755289
>>Your Exchange server could be infected with a file system virus that has nothing to do with Exchange and ends up taking down your server.

How would the virus get installed on the server?
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22755293
I'm not sure what you are worried about.....
You can check SMTP Virtual Server settings anytime
You can try the iforgot.exe utility anytime.
You can try kieran b's recommendations anytime
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22755318
Well in the past you had viruses like Nimda that propagated through files shares or Blaster that spread via RPC or Sasser which propagated by generating random IP addresses to search for systems with the LSASS vulnerability.  Who knows how the next virus will spread.  File system protection is good for any business critical system.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22755327
That is true, but i don't see the drastic perfomance and configuration problems as a viable trade off when you could just secure the gateway and all workstations.

Still, tomayto tomato :)
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22755361
I didn't know there existed such a place where all workstations were secure?  ;)
I agree, probably low likelyhood that the exchange server would be infected, but as an email admin I would hate to have to explain to the CEO that one workstation on our network got infected with a virus because it's virus defs weren't up to date and that workstation then infected our exchange server that didn't have any AV protection on it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jaesoul
ID: 22755431
Will try this tommorrow and report back.. All of you guys are great.
0
 
LVL 31

Accepted Solution

by:
moorhouselondon earned 500 total points
ID: 22755533
I would block all SMTP traffic from all IP's except your Exchange Server on your outbound Firewall which rules out any Workstation acting as a Spam message source.  

What happens if you stop the SMTP service on your Exchange Server temporarily to see if there is any other SMTP activity from that machine?
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22755766
The real kicked there AManoux is that AV didn't help stop sasser and the rest of it's ilk - patching did.  Keep the server fully patched, don't surf from it and keep it as locked down as possible, sasser and variants won't go anywhere
0
 

Author Comment

by:jaesoul
ID: 22757096
Kieran on that note. What is best practice for patching servers? I know sometime MS comes out with a patch that will cause problems etc. I fear that sometimes (try to spend some weekends with family and not troubleshooting systsms)

Do you guys ever have issues after patching security updates?

Thanks.
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 22758271
Microsoft have done a couple of dodgy updates, but that was a long time ago.  They seem to have their act together on this one - it is a constant risk however.

The biggest offenders are the Antivirus companies who have provided updates which have impounded valid operating system files, grounding people's systems to a halt.
0
 

Author Comment

by:jaesoul
ID: 22758638
wow... Im scared to update my server AV now. lol
0
 
LVL 31

Expert Comment

by:moorhouselondon
ID: 22758800
http://www.theregister.co.uk/2008/09/08/trend_security_false_alarm/
http://www.theregister.co.uk/2008/02/29/symantec_trend_security_bugs/
http://www.theregister.co.uk/2008/10/16/avg_zonealarm_trojan_false_alarm/
http://www.theregister.co.uk/2008/03/13/trend_micro_website_infected/

Just a quick selection of naughties from the AV vendors for your perusal.  The iframe one is slightly irrelevant as it's about Trend's website, but it's been included to show they don't practice what they preach.
0
 
LVL 25

Expert Comment

by:kieran_b
ID: 22761966
Updating windows can go bad - win2k3 SP2 and IE7 are two prime examples for Exchange, but that is where you are better off using WSUS, you can then approve things like  bugfixes and leave the bigger stuff alone for a few months
0
 
LVL 20

Expert Comment

by:jimmymcp02
ID: 22763415
what version of sav are you using?
You could be protected as long as your virus defs are up to date but if you have anything older than sav 9.0 then you are SOL symantec stop supporting 9.0 last year.
just because you have an anti-virus it does not mean you are protected :p

0
 
LVL 1

Expert Comment

by:AManoux
ID: 22763494
hey jimmymcp02, are you just talking about tech support for versions 9.0 and earlier?  Because I have clients that are still on previous versions and they still receive the latest virus def files from Symantec and are kept up to date with protection.
0
 
LVL 20

Expert Comment

by:jimmymcp02
ID: 22764895
9.0 and earlier will support updates if the system seems to be compromise (elevated privilages) not virus outbreaks trust me on this one new virus defs will not be supported only major pathces and fixes
0
 

Author Comment

by:jaesoul
ID: 22767400
Hey Guys I have NAV 10.1
0
 

Author Comment

by:jaesoul
ID: 22769448
How do i know if message tracking is enabled on my EX 2003?

Thank you
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22769514
Use ESM and drill down to your Exchange server.  Right click on the server object and choose 'Properties' from the menu.  On the General tab you should see a check box for 'Message Tracking'
0
 

Author Comment

by:jaesoul
ID: 22770040
ok... Now when i enable this. Where do i track the messages? And does this take up additional resources i should be worried about?

Thanks again guys.
0
 
LVL 1

Expert Comment

by:AManoux
ID: 22770175
Go back to ESM and under the Tools folder you should see, 'Message Tracking Center'.  Enter in the details of the message you are trying to track and click on the 'Find Now' button.  It should give you the details of the message flow.

Here's more detailed instructions if you need it.
http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html

Yes, there is some overhead associated with message tracking and you will need to make sure you have allocated enough space on your Exchange server's hard drive to store the number of logs you have configured it to keep.  According to Microsoft, the generation of message tracking logs consumes approximately 2% 4% I/O overhead for a server
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now