?
Solved

Hijacknig our email server

Posted on 2009-05-12
18
Medium Priority
?
284 Views
Last Modified: 2012-05-06
Our email server continues to be abused by something I can't identify.  We have Exchange 2003.  When I look at the Queue I see thousands of domains queued. We've had this happen twice before.  I followed a link provided to me by TigerMatt ( I believe) that made sure we aren't an open relay and it showed how to create a connector to clean out all the unwanted junk.  And that worked.

The problem is it keeps happening.  We aren't open for relay.  I don't see how our server is being compromised.  When using Find Messages in the Queue,  it shows the sender as "Lloyds TSB Bank".  Previously it was some other bank.  and the receipient addresses  are AOL or Hotmail and others

How do I stop this junk from filling the queue?  I hope we didn't try to send it all out again...

thanks.
0
Comment
Question by:AllanHale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
18 Comments
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 2000 total points
ID: 24366256
Its basically one of the three things

- open relay
- authenticated relay
- NDR

I doubt if it is the last, and if you have checked for the first, it has to be authenticated relaying.
I don't know what you were pointed to by Matt, it sounds like it was probably my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp

Have you tightened up the authenticated relay settings and reset the administrator password?

Simon.
0
 

Author Comment

by:AllanHale
ID: 24366304
I believe that was the article, yes.  Do you have suggestions for how the authenticated relay settings should look?  I have not reset the admin password.  Actually I hope I don't have to do that, it could require changes in a lot of places.

Allan
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24366373
You need to change the administrator password. It is the account they go after. With the administrator account is there is nothing to stop a spammer from simply accessing your server another way to change the setting back so that abuse can continue. Not changing it basically the same as a thief stealing your keys, and rather than changing the locks you simply replace the stuff they have stolen, and put it in a different place.

Ideally you need to be in a position where the Administrator account can be changed very quickly - any change in staff etc. If you have services running they should be running under their own account with the relevant restrictions used. While it is convenient to use the Administrator account for everything, from a security point of view it can easily become a nightmare.

If you do not have any users on POP3/SMTP then turn off authenticated relaying completely. It does not need to be enabled for Exchange to work correctly. There is a link in that article on how to secure authenticated relaying if you need to have it enabled.

Simon.
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 2

Expert Comment

by:feaglin
ID: 24366792
Could it be a compromised workstation on internal network running a bot?  Or someone on a compromised laptop, personal or company owned, that is in the office only occasionally?

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24366826
It will not be workstation if the messages are in the queues on the Exchange server. Bots simply do not work like that. I explained why in this blog posting: http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.
0
 

Author Comment

by:AllanHale
ID: 24366847
I've reset the admin password as you asked.  I'm trying to find in the application event log an event that matches the email I see stacked up in the queue.  So far I can not find one.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24366861
Have you got the settings set to log that information? Did you restart the SMTP Server service after resetting the password?

Simon.
0
 

Author Comment

by:AllanHale
ID: 24366875
I do have the logs set to record that information.  Actually I did that the last time this happened.  I've restarted the virtual smtp service since resetting the password.

Allan
0
 

Author Comment

by:AllanHale
ID: 24366948
I found an event.  I was looking for information events, but it came through as a warning event.  Here is the event:

This is an SMTP protocol warning log for virtual server ID 1, connection # 221198.  The remote host "209.191.118.103", responded to the SMTP command "mail" with "451 VS5-MF Excessive unknown recipients - possible Open Relay http://help.yahoo.com/help/us/mail/spam/sam-18.html (#4.4.5) onlinesecurity-noreply@lloydstsb.co.uk.  The full comand sent was "MAIL FROM:<onlinesecurity-noreply@lloydstsb.co.uk> SIZE=2107.  This may cause the connection to fail.


I don't know that host IP address.  But, the onlinesecurity email address is the one that was filling the queue.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24368980
The IP address belongs to Yahoo. They are simply rejecting your connection because your server has sent too many emails to it that are unknown. Spammers lists are not very clean. All that does is confirm that your server has been compromised - which you already know.

Simon.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24368995
Remember the spammer only has to authenticate once, so the event log could be quite some time before. If you have changed the password and restarted the SMTP server service then that will have broken the session, so looking at logs after that was done might be easier.
Simon.
0
 

Author Comment

by:AllanHale
ID: 24373420
I just came into work and the queue is full of junk again.  I'm not sure the mail is actually going out though.  Maybe the queue fills and deals with it?
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24373826
Shouldn't do.
If the server is working correct the email shouldn't even be on the server. If you had flushed the queues then you haven't cleared the problem.

Do you have ANYTHING set to be allowed to relay in the SMTP virtual server settings?
Have you disabled authenticated relaying completely?

Simon.
0
 

Author Comment

by:AllanHale
ID: 24373881
We are a small school district.  I did have our lunch program set to relay because they set it up that way.  I've removed it as of this morning and restarted the virtual smtp server.  When I look at relay now it shows nothing in the computers list and the 'Only the list below' button is checked.  If I click on Users button the Permissions tab shows Authenticated Users with Submit and Relay permissions.

I've probably broken our lunch program in its ability to send confirmation emails.  But, I'm suspecting it was the thing that compromised us.  Because I changed the administrator password yesterday and then this morning had a full queue again.  The lunch program allows parents to deposit money online into students lunch accounts. Then it sends an email with a confirmation number of the financial transaction.  

I'm going to call the lunch company and tell them they need to find a new way to send confirmation emails.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24373943
If you have authenticated users still listed as being able to relay, that does mean you are exposed to an authenticated relay attack. Do you need that to be enabled? Do you have any SMTP/POP3 users? If not, then turn it off completely.
Another option would be to restrict it to specific users.

I still think it is an authenticated relay attack, except the authentication isn't being logged.

Simon.
0
 

Author Comment

by:AllanHale
ID: 24373970
We use Outlook as our internal email client.  When staff members are away from the school there is a web link, built in association with Exchange, that allows them to access mail via the web.  I don't know enough about Exchange to answer your question about SMTP/POP3.  But those are the only ways email gets accessed.

Allan
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24374019
If you are EXCLUSIVE Outlook, so no Thunderbird, Outlook Express etc is used, then turn off authenticated relaying. It isn't required for Exchange to work correctly.

Simon.
0
 

Accepted Solution

by:
AllanHale earned 0 total points
ID: 24374073
I have turned off the relay permission for authenticated users and restarted the virtual server.  they now only have submit permission.  I've directed my staff to convert any Express users to pure Outlook.  I don't think we have many Express users if any.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question