Solved

Hijacknig our email server

Posted on 2009-05-12
18
277 Views
Last Modified: 2012-05-06
Our email server continues to be abused by something I can't identify.  We have Exchange 2003.  When I look at the Queue I see thousands of domains queued. We've had this happen twice before.  I followed a link provided to me by TigerMatt ( I believe) that made sure we aren't an open relay and it showed how to create a connector to clean out all the unwanted junk.  And that worked.

The problem is it keeps happening.  We aren't open for relay.  I don't see how our server is being compromised.  When using Find Messages in the Queue,  it shows the sender as "Lloyds TSB Bank".  Previously it was some other bank.  and the receipient addresses  are AOL or Hotmail and others

How do I stop this junk from filling the queue?  I hope we didn't try to send it all out again...

thanks.
0
Comment
Question by:AllanHale
  • 9
  • 8
18 Comments
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 500 total points
Comment Utility
Its basically one of the three things

- open relay
- authenticated relay
- NDR

I doubt if it is the last, and if you have checked for the first, it has to be authenticated relaying.
I don't know what you were pointed to by Matt, it sounds like it was probably my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp

Have you tightened up the authenticated relay settings and reset the administrator password?

Simon.
0
 

Author Comment

by:AllanHale
Comment Utility
I believe that was the article, yes.  Do you have suggestions for how the authenticated relay settings should look?  I have not reset the admin password.  Actually I hope I don't have to do that, it could require changes in a lot of places.

Allan
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
You need to change the administrator password. It is the account they go after. With the administrator account is there is nothing to stop a spammer from simply accessing your server another way to change the setting back so that abuse can continue. Not changing it basically the same as a thief stealing your keys, and rather than changing the locks you simply replace the stuff they have stolen, and put it in a different place.

Ideally you need to be in a position where the Administrator account can be changed very quickly - any change in staff etc. If you have services running they should be running under their own account with the relevant restrictions used. While it is convenient to use the Administrator account for everything, from a security point of view it can easily become a nightmare.

If you do not have any users on POP3/SMTP then turn off authenticated relaying completely. It does not need to be enabled for Exchange to work correctly. There is a link in that article on how to secure authenticated relaying if you need to have it enabled.

Simon.
0
 
LVL 2

Expert Comment

by:feaglin
Comment Utility
Could it be a compromised workstation on internal network running a bot?  Or someone on a compromised laptop, personal or company owned, that is in the office only occasionally?

0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
It will not be workstation if the messages are in the queues on the Exchange server. Bots simply do not work like that. I explained why in this blog posting: http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.
0
 

Author Comment

by:AllanHale
Comment Utility
I've reset the admin password as you asked.  I'm trying to find in the application event log an event that matches the email I see stacked up in the queue.  So far I can not find one.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Have you got the settings set to log that information? Did you restart the SMTP Server service after resetting the password?

Simon.
0
 

Author Comment

by:AllanHale
Comment Utility
I do have the logs set to record that information.  Actually I did that the last time this happened.  I've restarted the virtual smtp service since resetting the password.

Allan
0
 

Author Comment

by:AllanHale
Comment Utility
I found an event.  I was looking for information events, but it came through as a warning event.  Here is the event:

This is an SMTP protocol warning log for virtual server ID 1, connection # 221198.  The remote host "209.191.118.103", responded to the SMTP command "mail" with "451 VS5-MF Excessive unknown recipients - possible Open Relay http://help.yahoo.com/help/us/mail/spam/sam-18.html (#4.4.5) onlinesecurity-noreply@lloydstsb.co.uk.  The full comand sent was "MAIL FROM:<onlinesecurity-noreply@lloydstsb.co.uk> SIZE=2107.  This may cause the connection to fail.


I don't know that host IP address.  But, the onlinesecurity email address is the one that was filling the queue.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 65

Expert Comment

by:Mestha
Comment Utility
The IP address belongs to Yahoo. They are simply rejecting your connection because your server has sent too many emails to it that are unknown. Spammers lists are not very clean. All that does is confirm that your server has been compromised - which you already know.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Remember the spammer only has to authenticate once, so the event log could be quite some time before. If you have changed the password and restarted the SMTP server service then that will have broken the session, so looking at logs after that was done might be easier.
Simon.
0
 

Author Comment

by:AllanHale
Comment Utility
I just came into work and the queue is full of junk again.  I'm not sure the mail is actually going out though.  Maybe the queue fills and deals with it?
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
Shouldn't do.
If the server is working correct the email shouldn't even be on the server. If you had flushed the queues then you haven't cleared the problem.

Do you have ANYTHING set to be allowed to relay in the SMTP virtual server settings?
Have you disabled authenticated relaying completely?

Simon.
0
 

Author Comment

by:AllanHale
Comment Utility
We are a small school district.  I did have our lunch program set to relay because they set it up that way.  I've removed it as of this morning and restarted the virtual smtp server.  When I look at relay now it shows nothing in the computers list and the 'Only the list below' button is checked.  If I click on Users button the Permissions tab shows Authenticated Users with Submit and Relay permissions.

I've probably broken our lunch program in its ability to send confirmation emails.  But, I'm suspecting it was the thing that compromised us.  Because I changed the administrator password yesterday and then this morning had a full queue again.  The lunch program allows parents to deposit money online into students lunch accounts. Then it sends an email with a confirmation number of the financial transaction.  

I'm going to call the lunch company and tell them they need to find a new way to send confirmation emails.
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If you have authenticated users still listed as being able to relay, that does mean you are exposed to an authenticated relay attack. Do you need that to be enabled? Do you have any SMTP/POP3 users? If not, then turn it off completely.
Another option would be to restrict it to specific users.

I still think it is an authenticated relay attack, except the authentication isn't being logged.

Simon.
0
 

Author Comment

by:AllanHale
Comment Utility
We use Outlook as our internal email client.  When staff members are away from the school there is a web link, built in association with Exchange, that allows them to access mail via the web.  I don't know enough about Exchange to answer your question about SMTP/POP3.  But those are the only ways email gets accessed.

Allan
0
 
LVL 65

Expert Comment

by:Mestha
Comment Utility
If you are EXCLUSIVE Outlook, so no Thunderbird, Outlook Express etc is used, then turn off authenticated relaying. It isn't required for Exchange to work correctly.

Simon.
0
 

Accepted Solution

by:
AllanHale earned 0 total points
Comment Utility
I have turned off the relay permission for authenticated users and restarted the virtual server.  they now only have submit permission.  I've directed my staff to convert any Express users to pure Outlook.  I don't think we have many Express users if any.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now