Solved

URGENT:  Exchange Server Spamming Local Mailboxes (Header Included)

Posted on 2009-04-01
18
665 Views
Last Modified: 2013-11-22
Note the ".local" in the header.
If requested, I will furnish the source of the entire email.
_________________________________________________
Received: by SERVER.DOMAIN.local
      id <01C99F17.21198B9A@SERVER.DOMAIN.local>; Sat, 7 Mar 2009 05:23:24 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----_=_NextPart_001_01C99F17.21198B9A"
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject:  SCAMMED VICTIM/ URGENT RESPONDS FOR YOUR $2.8 MILLION COMPENSATION
Date: Thu, 2 Apr 2009 13:09:07 -0600
Message-ID: <850F3A9065116442906FA2C0562547B7311952@SERVER.DOMAIN.local>
Content-Identifier: ExJournalReport
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic:  SCAMMED VICTIM/ URGENT RESPONDS FOR YOUR $2.8 MILLION COMPENSATION
Thread-Index: AcmfFyEZ+Oawt3M2RzOeDBkVym++tQ==
From: "Prof Musa Ahmed" <mahmed36@rocketmail.com>
To: "undisclosed-recipients" <undisclosed-recipients:;>
___________________________________________________

Extra Info:
Our Firewall is locked down to only talk to an external MX service that filters spam.  All inbound headers originate from the MX service.
No virus/worm infections were found on Exchange server.
Exchange server could be sending emails locally as a result of SMTP relay settings
Outbound SMTP is fine, and nothing is going out that shouldn't be.  This was verified by System Manager, External MX solution, and firewall activitiy.  Traffic is normal
I may have been lucky and found the very beginning instance of this problem, but I am not sure.
Journaling is enabled on a specific account for mail archival (not sure if this would be related)
There is no antivirus installed on Exchange server being external MX scans all inbound/outbound email.
According to my journaling information, this email was received TOMORROW (April 2, 2009) Present date as of now is April 1, 2009
0
Comment
Question by:MrMintanet
  • 9
  • 5
  • 3
18 Comments
 
LVL 8

Author Comment

by:MrMintanet
ID: 24040842
Attached, is a screen shot of active logons.  I have blacked out the local mail server's name for customer's privacy.

How do I find out where this is originating?
Exchange-Logons.jpg
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24042619
The server is being abused directly.
The fact that your server is listed in the headers means the message originated there.

Nothing in your screenshot looks unusual. You need to look at the SMTP server logs to see where the traffic is coming in.

Simon.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24042790
Thanks for the advice, Mestha.  I'll get the logs and take a look.  Any pointers on what to be looking for?  Actually... where are the logs stored, typically?  Please forgive my ignorance, but I have very limited experience with troubleshooting Exchange.  Perhaps I was one of the fortunate ones who has hardly had any problem with Exchange.  Thanks again!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24043390
SMTP logs location is set on the properties of the SMTP virtual server in Exchange. You will need to look there to see where they have been located.
You are looking for an IP address sending large numbers of messages. You may have to change the logging options to get enough to trace it.

Simon.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24043443
::slaps forehead::

Logging was never enabled.  What would be the best format to chose?  Lord, help me.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24043577
See screenshot.
Logging-Format.jpg
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24043610
I have always used IIS, just change the properties of the logging to ensure that things that need to be logged are. However I know that others say to use NCSA format instead.

Simon.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24043720
I just discovered another scary problem.  When in OWA, I can simply remove my username from the URL and put another network user's name in and it shows me their mailbox.  What causes this?  Should I post this as a new question?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 8

Author Comment

by:MrMintanet
ID: 24044334
See Photo:
SMTP-LOG.jpg
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24044394
NOTE:  The logs are not showing any local email traffic.  Only external.

SERVER.MYDOMAIN.LOCAL is not showing up anywhere.  How do I monitor what's going through .local?  Bah!  I'm going home!  See you tomorrow!
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24045356
The mailbox question should be posted fresh, as it is not related.
The server's local name will not show in the log, it works on IP addresses.

Are all the messages in the queues from postmaster@ ? Given the errors I wonder if you are under an NDR attack. Does your external provider do recipient filtering?

Simon.
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24046224
What do you mean by recipient filtering?

I'm not sure how to check the postmaster@ question.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24047043
Got CONLICKER Worm?
If YOU cant go here:
http://onecare.live.com/site/en-US/center/cleanup.htm
And run scans
you Got Worm:Win32/Conficker.B
Microsoft is offering $250,000 to a (Worm:Win32/Conficker.B) FIX
Hope its ME
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24047210
Run the: "FULL SERVICE SCAN"
http://onecare.live.com/site/en-us/default.htm
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24047880
FREE COMPUTER REPAIR
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is  free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: I troubleshoot: both, English OS & Japanese OS)
0
 
LVL 8

Author Comment

by:MrMintanet
ID: 24049743
Michael Best, I apprecite the canned-answers, however they are of no use to me.  Please try again, as I do enjoy your professional copy/paste technique.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
ID: 24052093
Recipient filtering - it is an option in Exchange to block email to users who do not exist.

http://www.amset.info/exchange/filter-unknown.asp

You need to look at the queues using the queues option in ESM under servers.

Simon.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
how to add IIS SMTP to handle application/Scanner relays into office 365.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now