sweetcaro
asked on
All of a sudden my exchange email queue has over 1000 emails from a weird address!
I just noticed our exchange server has a queue of over 1000 emails and growing, all going out from a weird email address that is not even part of our domain, someone@yahoo.com with subject: confidential and going to all sorts of people.
This obviously looks like a virus but how do I know who has the virus? And how can we avoid this from happening?
How can someone be using our email server to send out?
This obviously looks like a virus but how do I know who has the virus? And how can we avoid this from happening?
How can someone be using our email server to send out?
Review the logging on the smtp connector.
If it's not logging, then turn on the logging.
You should be able to see th ip address.
If it's not logging, then turn on the logging.
You should be able to see th ip address.
C:\WINDOWS\System32\LogFil
You can also enable message tracking.
You can also enable message tracking.
ASKER
Mestha that is a nice long article but it does not tell me how to fix whatever is happening.
What type of logging exactly do I need to turn on to see the ip of the computer sending these messages?
Where do I check if relaying is enabled?
What type of logging exactly do I need to turn on to see the ip of the computer sending these messages?
Where do I check if relaying is enabled?
Right click the "default smtp server"..choose properties..
there are several options here...
exchmgr.bmp
there are several options here...
exchmgr.bmp
To enable message tracking, right click the server listed under the "server" in this snap-in, and choose properties... check the box.
If you bothered to read the whole article, it would explain what was happening and provide links to secure your server.
It is NOT a computer on your network that is sending the messages. That is what that article is telling you if you had read it. If you are seeing the messages in your queues then they are coming from outside.
-M
It is NOT a computer on your network that is sending the messages. That is what that article is telling you if you had read it. If you are seeing the messages in your queues then they are coming from outside.
-M
ASKER
I already checked and RELAY was NOT enabled. Also, I followed the link on that article and tried to do the telnet but it doesn't even allow me to connect to port 25.
Relay isn't enabled, I have no idea why then all these emails are in my queue.
Relay isn't enabled, I have no idea why then all these emails are in my queue.
Mestha,...
First of all.... How would you know if it is from the inside or outside without reviewing the logs or message tracking ?...
It could very well be an open relay, coming from outside, or it could be a spam bot inside the network...
Another option would be to use a network traffic monitoring software on the exchange server and filter the results for traffic on port 25... netmon is free..
That would stop the guessing game.
First of all.... How would you know if it is from the inside or outside without reviewing the logs or message tracking ?...
It could very well be an open relay, coming from outside, or it could be a spam bot inside the network...
Another option would be to use a network traffic monitoring software on the exchange server and filter the results for traffic on port 25... netmon is free..
That would stop the guessing game.
They don't just appear in the queue.
If authenticated relaying was turned off then that rules that out.
Do you have any relaying options enabled at all?
Telnet to port 25 being blocked can be caused by AV software - McAfee for example will do that.
-M
If authenticated relaying was turned off then that rules that out.
Do you have any relaying options enabled at all?
Telnet to port 25 being blocked can be caused by AV software - McAfee for example will do that.
-M
xuserx2000 - How do I know it isn't coming from inside?
If you read the blog posting that I have posted, then you would know how.
Let me quote the key part though...
"To abuse an Exchange server in this way, a BOT writer would need to
1. get the BOT inside the network
2. infect the machine
3. realise that it is on a corporate network where there is an Exchange server
4. find the Exchange server
5. send the message. "
That isn't going to happen. It is far easier for the bot writer to have their own SMTP engine sending the email directly.
-M
If you read the blog posting that I have posted, then you would know how.
Let me quote the key part though...
"To abuse an Exchange server in this way, a BOT writer would need to
1. get the BOT inside the network
2. infect the machine
3. realise that it is on a corporate network where there is an Exchange server
4. find the Exchange server
5. send the message. "
That isn't going to happen. It is far easier for the bot writer to have their own SMTP engine sending the email directly.
-M
so you are working under the assumption that a "bot writer" is incapable of writing a spam bot that runs under the users credentials or enumerating a network for smtp servers ?
interesting.... I'll have to add that one to my knowlegebase
There are several ways to figure out where it is coming from, I just prefer not to make assumptions...or belittle the person asking the question.
interesting.... I'll have to add that one to my knowlegebase
There are several ways to figure out where it is coming from, I just prefer not to make assumptions...or belittle the person asking the question.
ASKER
I turned on the logging and there are a hundred messages popping up but all of them have USER: N/A so I can't see who is doing it, or what computer is causing it.
All my Relay under SMTP and the CONNECTOR are unchecked so should be disabled.
When I do Find messages in one of the queues I can see the sender is someone @yahoo.com
that's all I can see.
All my Relay under SMTP and the CONNECTOR are unchecked so should be disabled.
When I do Find messages in one of the queues I can see the sender is someone @yahoo.com
that's all I can see.
I do three or four clean ups of this type a week.
I have NEVER seen a bot send email through another SMTP Server.
I am working on the assumption that BOT writers are lazy. They aren't interested in targetting enterprise environments because they are too difficult to compromise. What they are looking to do is compromise a home user, whose protection is limited, not patched. Where there is no firewall blocking port 25 for all traffic except from the valid servers etc.
Back to the original post - if it says User N/A then it is coming from anonymous. It would indicate that you are an open relay.
What relay settings do you have on the SMTP virtual server? You cannot turn them off - it is either one setting or another. That is of course presuming this is Exchange 2000/2003. If it is another version then you need to state.
-M
I have NEVER seen a bot send email through another SMTP Server.
I am working on the assumption that BOT writers are lazy. They aren't interested in targetting enterprise environments because they are too difficult to compromise. What they are looking to do is compromise a home user, whose protection is limited, not patched. Where there is no firewall blocking port 25 for all traffic except from the valid servers etc.
Back to the original post - if it says User N/A then it is coming from anonymous. It would indicate that you are an open relay.
What relay settings do you have on the SMTP virtual server? You cannot turn them off - it is either one setting or another. That is of course presuming this is Exchange 2000/2003. If it is another version then you need to state.
-M
ASKER
This is exchange 2003
under Default SMTP Virtual Server
--> Access
--> Relay
The box for Allow all computers which successfully authenticate to relay is UNCHECKED
At the top I have ONLY THE LIST BELOW checked, list is empty.
Under grand or deny relay permissions --> Users --> I see Authenticated Users and they have Submit permission checked to ALLOW, Relay Permission has nothing checked
For the Connector I have
--> Address Space --> the Allow messages to be relayed to these domains is also UNCHECKED
under Default SMTP Virtual Server
--> Access
--> Relay
The box for Allow all computers which successfully authenticate to relay is UNCHECKED
At the top I have ONLY THE LIST BELOW checked, list is empty.
Under grand or deny relay permissions --> Users --> I see Authenticated Users and they have Submit permission checked to ALLOW, Relay Permission has nothing checked
For the Connector I have
--> Address Space --> the Allow messages to be relayed to these domains is also UNCHECKED
ASKER
Is there a virus or trojan or anything I should be looking for on all our computers?
It seems that having everyone run the virus scan is pretty much useless...
It seems that having everyone run the virus scan is pretty much useless...
http://www.msexchange.org/tutorials/Exchange-Server-2003-Mailflow-Part-2.html
See that link, for using logging on the smtp service.
See that link, for using logging on the smtp service.
I doubt if it is a virus/trojan.
Has the number of messages in the queues actually gone up? Have you attempted to clear the queues?
Have any of those settings that you have outlined above been changed?
Do you have any other servers in the network that could be bouncing their messages off the Exchange server?
-M
Has the number of messages in the queues actually gone up? Have you attempted to clear the queues?
Have any of those settings that you have outlined above been changed?
Do you have any other servers in the network that could be bouncing their messages off the Exchange server?
-M
Whether or not it's a virus inside or a spammer outside.... we should try to find out the offending machine that is sending this stuff.
Here's another approach...
I have attached a vbs script you can run... which will query the message tracking servuce and show the ip address, sender address, recipient address, subject, message time,...etc.
With exchange management tools installed...
You can copy this code, enter your exchange server name into the code, and save it as c:\messagetrack.vbs
Then run it by command line...
cscript.exe c:\messagetrack.vbs
Here's another approach...
I have attached a vbs script you can run... which will query the message tracking servuce and show the ip address, sender address, recipient address, subject, message time,...etc.
With exchange management tools installed...
You can copy this code, enter your exchange server name into the code, and save it as c:\messagetrack.vbs
Then run it by command line...
cscript.exe c:\messagetrack.vbs
strComputer = "EXCHANGE_SERVER_NAME_OR_IPADDRESS_GOES_HERE"
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftExchangeV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Exchange_MessageTrackingEntry",,48)
For Each objItem in colItems
Wscript.Echo "-----------------------------------"
Wscript.Echo "Exchange_MessageTrackingEntry instance"
Wscript.Echo "-----------------------------------"
Wscript.Echo "Caption: " & objItem.Caption
Wscript.Echo "ClientIP: " & objItem.ClientIP
Wscript.Echo "ClientName: " & objItem.ClientName
Wscript.Echo "DeliveryTime: " & objItem.DeliveryTime
Wscript.Echo "Description: " & objItem.Description
Wscript.Echo "MessageID: " & objItem.MessageID
Wscript.Echo "Name: " & objItem.Name
Wscript.Echo "OriginationTime: " & objItem.OriginationTime
If isNull(objItem.RecipientAddress) Then
Wscript.Echo "RecipientAddress: "
Else
Wscript.Echo "RecipientAddress: " & Join(objItem.RecipientAddress, ",")
End If
Wscript.Echo "SenderAddress: " & objItem.SenderAddress
Wscript.Echo "Status: " & objItem.Status
Wscript.Echo "Subject: " & objItem.Subject
Next
ASKER
We have a few servers that were allowed to relay through this exchange server and apparently one of them must've caught a virus.
Not sure how to avoid this from happening again without having to block the relaying servers though...
but for now it's all back to normal.
Not sure how to avoid this from happening again without having to block the relaying servers though...
but for now it's all back to normal.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Be aware,,...in the properties in the smtp connector, you can specify connections that are allowed to relay... and connections that are not allowed to use the smtp connector at all.
For example... I have a linux box that needs to send mail...but it isn't setup to authenticate to the domain...therefore I allow that single IP address to relay.
Best practice, if you do not have this sort of dilema, is to not allow anyone to relay unless authenticated.....(see the checkbox)
relay-permissions.JPG
For example... I have a linux box that needs to send mail...but it isn't setup to authenticate to the domain...therefore I allow that single IP address to relay.
Best practice, if you do not have this sort of dilema, is to not allow anyone to relay unless authenticated.....(see the checkbox)
relay-permissions.JPG
That doesn't happen. If a virus got in you wouldn't see it in your queues.
My blog posting from last year explains what has probably happened:
http://www.sembee.co.uk/archive/2008/03/13/73.aspx
I suspect that it is authenticated relaying, which is enabled by default.
-M