?
Solved

Unknown SMTP Traffic Leaving Exchange

Posted on 2009-04-21
7
Medium Priority
?
494 Views
Last Modified: 2013-11-30
I have NetFlow Analyzer monitoring network traffic and have noticed hundreds of outgoing SMTP connections from our Exchange server to IPs all over the world. This is happening after hours when no one is at the office and remote users are probably not sending mail (not at 2 or 3 in the morning.) When I look at the messages sent in the message tracking center everything looks on the up and up. I also have an Untangle box monitoring all SMTP traffic but it doesn't seem to watch the outgoing SMTP just POP. When I look in the outgooing queue in System Manager everything looks OK. I have followed all of the instructions from Amset's site about securing Exchange. I also have snort running and see hundreds of SMTP relaying denied entries coming from the Exchange box.  
0
Comment
Question by:jdcreece
  • 3
  • 3
7 Comments
 
LVL 7

Expert Comment

by:flaphead_com
ID: 24196836
is it happening all the time?

If the messages are trying to go out, why not put netmon on the exchange server and run it for a while to capture where on your network is trying to send mail
0
 

Author Comment

by:jdcreece
ID: 24196904
Is netmon like snort or wireshark? Does it show which exchange users are sending mail to who? NetFlow Analyzer uses the Cisco pflow data sent from the gateway that shows all traffic on the network already and I know for fact that all SMTP traffic is coming from exchange only. Plus port 25 is blocked oubound except for Exchange. The data is definitely coming from Exchange but i don't know where.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 24197041
If you are seeing nothing in the queues then I doubt whether your server is being abused. If an Exchange server is abused successfully then you can tell as the logs will be full of messages.
If you are seeing relaying attempts in the logs then your Exchange server is doing what it is designed to - blocking the relay attempts. Nothing you can do to stop spammers from probing the server to see if it is an open relay, or doing an authenticated relay attack. All you can do is slow it down with tarpit and recipient filtering.

This maybe a simple case of having too much information, information that you don't really need to worry about.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:jdcreece
ID: 24198394
Thanks, I know I seem a little paranoid but  I just want cover all of my bases. What is auth relay attack?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24199350
It is where a spammer is attempting to guess a password on your server, so that they can abuse it. Exchange has authenticated relaying enabled by default. Therefore if they can get a valid username and password then they can relay email through the server.

Simon.
0
 

Author Comment

by:jdcreece
ID: 24199455
i have users using owa and rpc-http can i turn auth relay off?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24199671
If you don't have any POP3/IMAP clients then it can be turned off. Will stop spammers from trying to attack the server, they will simply get no where.

Simon.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question