• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 557
  • Last Modified:

All of a sudden my exchange email queue has over 1000 emails from a weird address!

I just noticed our exchange server has a queue of over 1000 emails and growing, all going out from a weird email address that is not even part of our domain, someone@yahoo.com with subject: confidential and going to all sorts of people.
This obviously looks like a virus but how do I know who has the virus? And how can we avoid this from happening?
How can someone be using our email server to send out?
0
sweetcaro
Asked:
sweetcaro
  • 11
  • 6
  • 6
1 Solution
 
MesthaCommented:
I doubt if it is a virus.
That doesn't happen. If a virus got in you wouldn't see it in your queues.

My blog posting from last year explains what has probably happened:
http://www.sembee.co.uk/archive/2008/03/13/73.aspx

I suspect that it is authenticated relaying, which is enabled by default.

-M
0
 
Ron MalmsteadInformation Services ManagerCommented:
Review the logging on the smtp connector.
If it's not logging, then turn on the logging.
You should be able to see th ip address.
0
 
Ron MalmsteadInformation Services ManagerCommented:
C:\WINDOWS\System32\LogFiles

You can also enable message tracking.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
sweetcaroAuthor Commented:
Mestha that is a nice long article but it does not tell me how to fix whatever is happening.

What type of logging exactly do I need to turn on to see the ip of the computer sending these messages?
Where do I check if relaying is enabled?
0
 
Ron MalmsteadInformation Services ManagerCommented:
Right click the "default smtp server"..choose properties..

there are several options here...  
exchmgr.bmp
0
 
Ron MalmsteadInformation Services ManagerCommented:
To enable message tracking,  right click the server listed under the "server" in this snap-in, and choose properties...  check the box.

0
 
MesthaCommented:
If you bothered to read the whole article, it would explain what was happening and provide links to secure your server.

It is NOT a computer on your network that is sending the messages. That is what that article is telling you if you had read it. If you are seeing the messages in your queues then they are coming from outside.

-M
0
 
sweetcaroAuthor Commented:
I already checked and RELAY was NOT enabled. Also, I followed the link on that article and tried to do the telnet but it doesn't even allow me to connect to port 25.
Relay isn't enabled, I have no idea why then all these emails are in my queue.
0
 
Ron MalmsteadInformation Services ManagerCommented:
Mestha,...

First of all.... How would you know if it is from the inside or outside without reviewing the logs or message tracking ?...

It could very well be an open relay, coming from outside, or it could be a spam bot inside the network...

Another option would be to use a network traffic monitoring software on the exchange server and filter the results for traffic on port 25... netmon is free..

That would stop the guessing game.  
0
 
MesthaCommented:
They don't just appear in the queue.
If authenticated relaying was turned off then that rules that out.
Do you have any relaying options enabled at all?

Telnet to port 25 being blocked can be caused by AV software - McAfee for example will do that.

-M
0
 
MesthaCommented:
xuserx2000 - How do I know it isn't coming from inside?
If you read the blog posting that I have posted, then you would know how.

Let me quote the key part though...

"To abuse an Exchange server in this way, a BOT writer would need to

1. get the BOT inside the network
2. infect the machine
3. realise that it is on a corporate network where there is an Exchange server
4. find the Exchange server
5. send the message. "

That isn't going to happen. It is far easier for the bot writer to have their own SMTP engine sending the email directly.

-M
0
 
Ron MalmsteadInformation Services ManagerCommented:
so you are working under the assumption that a "bot writer" is incapable of writing a spam bot that runs under the users credentials or enumerating a network for smtp servers ?

interesting....  I'll have to add that one to my knowlegebase

There are several ways to figure out where it is coming from, I just prefer not to make assumptions...or belittle the person asking the question.



0
 
sweetcaroAuthor Commented:
I turned on the logging and there are a hundred messages popping up but all of them have USER: N/A so I can't see who is doing it, or what computer is causing it.

All my Relay under SMTP and the CONNECTOR are unchecked so should be disabled.

When I do Find messages in one of the queues I can see the sender is someone @yahoo.com

that's all I can see.

0
 
MesthaCommented:
I do three or four clean ups of this type a week.
I have NEVER seen a bot send email through another SMTP Server.

I am working on the assumption that BOT writers are lazy. They aren't interested in targetting enterprise environments because they are too difficult to compromise. What they are looking to do is compromise a home user, whose protection is limited, not patched. Where there is no firewall blocking port 25 for all traffic except from the valid servers etc.

Back to the original post - if it says User N/A then it is coming from anonymous. It would indicate that you are an open relay.

What relay settings do you have on the SMTP virtual server? You cannot turn them off - it is either one setting or another. That is of course presuming this is Exchange 2000/2003. If it is another version then you need to state.

-M
0
 
sweetcaroAuthor Commented:
This is exchange 2003
under Default SMTP Virtual Server
--> Access
--> Relay
The box for Allow all computers which successfully authenticate to relay is UNCHECKED
At the top I have ONLY THE LIST BELOW checked, list is empty.
Under grand or deny relay permissions --> Users --> I see Authenticated Users and they have Submit permission checked to ALLOW, Relay Permission has nothing checked

For the Connector I have
--> Address Space --> the Allow messages to be relayed to these domains is also UNCHECKED
0
 
sweetcaroAuthor Commented:
Is there a virus or trojan or anything I should be looking for on all our computers?
It seems that having everyone run the virus scan is pretty much useless...
0
 
Ron MalmsteadInformation Services ManagerCommented:
http://www.msexchange.org/tutorials/Exchange-Server-2003-Mailflow-Part-2.html

See that link, for using logging on the smtp service.
0
 
MesthaCommented:
I doubt if it is a virus/trojan.
Has the number of messages in the queues actually gone up? Have you attempted to clear the queues?
Have any of those settings that you have outlined above been changed?

Do you have any other servers in the network that could be bouncing their messages off the Exchange server?

-M
0
 
Ron MalmsteadInformation Services ManagerCommented:
Whether or not it's a virus inside or a spammer outside....  we should try to find out the offending machine that is sending this stuff.

Here's another approach...
I have attached a vbs script you can run...  which will query the message tracking servuce and show the ip address, sender address, recipient address, subject, message time,...etc.

With exchange management tools installed...
You can copy this code, enter your exchange server name into the code, and save it as c:\messagetrack.vbs
Then run it by command line...
cscript.exe c:\messagetrack.vbs


strComputer = "EXCHANGE_SERVER_NAME_OR_IPADDRESS_GOES_HERE" 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftExchangeV2") 
Set colItems = objWMIService.ExecQuery( _
    "SELECT * FROM Exchange_MessageTrackingEntry",,48) 
For Each objItem in colItems 
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "Exchange_MessageTrackingEntry instance"
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "Caption: " & objItem.Caption
    Wscript.Echo "ClientIP: " & objItem.ClientIP
    Wscript.Echo "ClientName: " & objItem.ClientName
    Wscript.Echo "DeliveryTime: " & objItem.DeliveryTime
    Wscript.Echo "Description: " & objItem.Description
    Wscript.Echo "MessageID: " & objItem.MessageID
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "OriginationTime: " & objItem.OriginationTime
    If isNull(objItem.RecipientAddress) Then
        Wscript.Echo "RecipientAddress: "
    Else
        Wscript.Echo "RecipientAddress: " & Join(objItem.RecipientAddress, ",")
    End If
    Wscript.Echo "SenderAddress: " & objItem.SenderAddress
    Wscript.Echo "Status: " & objItem.Status
    Wscript.Echo "Subject: " & objItem.Subject
Next

Open in new window

0
 
sweetcaroAuthor Commented:
We have a few servers that were allowed to relay through this exchange server and apparently one of them must've caught a virus.
Not sure how to avoid this from happening again without having to block the relaying servers though...
but for now it's all back to normal.
0
 
Ron MalmsteadInformation Services ManagerCommented:
Glad to hear it...
Make sure those servers are patched up in the future and virus scanners are fully up to date..  If these servers were infected, it like occurred by the actions of an administrator.  Users, without admin permissions,..most likely wouldn't have the access to use the server in order to get it infected, or even remotely propogate a virus to it.

Mestha, care to retract your statement ????
 - "It is NOT a computer on your network that is sending the messages. That is what that article is telling you if you had read it. If you are seeing the messages in your queues then they are coming from outside. " -

I think you might need to rewrite your blog !...lol...
0
 
Ron MalmsteadInformation Services ManagerCommented:
Be aware,,...in the properties in the smtp connector, you can specify connections that are allowed to relay... and connections that are not allowed to use the smtp connector at all.

For example... I have a linux box that needs to send mail...but it isn't setup to authenticate to the domain...therefore I allow that single IP address to relay.

Best practice, if you do not have this sort of dilema, is to not allow anyone to relay unless authenticated.....(see the checkbox)


relay-permissions.JPG
0
 
Ron MalmsteadInformation Services ManagerCommented:
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 11
  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now