[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How do I protect against authenticated users being used as spam relay

Posted on 2009-05-20
19
Medium Priority
?
518 Views
Last Modified: 2013-11-16
I have recently joined a company that has Exchange 2003 SP1 on a 2003 SP2 server. Our Firewall is a Watchguard Edge X55e using common packet filter policies. A Sendio I.C.E. box scans for spam & viruses before routing SMTP traffic to the mail server. OWA is enabled, so OWA traffic is NATed through the firewall directly to the mail server. We are not an open relay.

We recently got spam blacklisted, I think because a user account had been compromised & been used to relay spam. In the past users had been allowed very weak passwords & hardly ever changed them. A more rigorous regime is now in place & all passwords have been changed. We have been delisted & so far we're ok.

My question is, what else should I do to prevent against this happening again?

Any suggestions would be greatly appreciated as I am going on holiday on Saturday & would like the peace of mind of knowing that our system is secure whilst I'm away!
0
Comment
Question by:alec1836
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
  • 2
  • +2
19 Comments
 
LVL 5

Expert Comment

by:karstieman
ID: 24429327
You've done the best thing by hardening the password security policy of your company.
I don't know if your firewall allows to check for 'if more than x mails are sent from the same receipient then block for xxx-period'. but that would be a great option to stop relaying immediately. There's a lot of software that can do this, but it has extra costs of course.
In my opinion you've done the best by hardening your password security policity ( require x characters. ,maybe even require a number and a special character like - or @ or something like that.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24429333
If I understood correctly you do not have SMTP opened from outside directly to your Exchange server so you are left with two options


1) The spam is coming from inside the company (not necessary from exchange) a good practice would be to allow only the exchange server to send outgoing SMTP, and/or NAT the exchange to a different public IP than the one used by your clients

2) the spam was sent using a legitimate username and pass on your domain, the solution for that is definitely to use a stronger password policy
0
 

Author Comment

by:alec1836
ID: 24429394
Karstieman,

Thanks for your block for xxx-period suggestion, I'll look into that. It seems my firewall can check for spam over POP3, so I'll test that.

The password policy is now 8 characters to include upper & lower case, numbers & a special character. Come the next password change though I think I'll enforce a minimum of 10 characters & try to deter them from using "words" to make dictionary attacks harder.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:alec1836
ID: 24429463
Akhater,

Thanks for your reply. SMTP is routed from Exchange to the Sendio I.C.E box & the firewall only allows outbound SMTP from this. So hopefully that covers any internal threat. I'm scanning all of our Windows PCs for viruses, malware & adware. I'm assuming our Macs are clean. I'm not sure what I can use to check the Win servers, so far all I've used is the MS Malicious Software Removal tool.

I'm not quite sure what you meant by "NAT the exchange to a different public IP than the one used by your clients"?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24429464
Disable authenticated relay in exchange 2003. Yuo don't need it unless you have POP/IMAP clients.

http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:alec1836
ID: 24429474
Hi Rajith,

Don't I need that enabled for OWA?
0
 

Author Comment

by:alec1836
ID: 24429486
In fact, don't I need authenticated relay enabled for my users to email externally?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24429683
what client are they using ?

If oulook configured as exchange client or OWA then the answer is no

If you are using POP3 or IMAP then yes
0
 

Author Comment

by:alec1836
ID: 24429828
At present several of my users only access their email from a web browser, both from within our network & remotely on the internet. Also, I have users using the Mail app on a Mac & Entorage on a Mac.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24429845
The usual target account is Administrator, so you should ensure that the Administrator account cannot be used. Ideally by turning off authenticated relaying. If you have MAC users, then you cannot do that, so restrict down to only those that need it.

Simon.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24429871
Entourage can be configured as an Exchange client so if it is the case you do not need relay, that being said most of the exchange servers I am administering have this checkbox enabled and have never faced any spam issue.

1) Is there any public IP you can telnet to from outside your company and access your exchange server ? or incoming emails are first being delivered to your anti spam ?

2) How is your exchange server sending emails, is it configured to use DNS or to send to your spam filter first ?

If I understood correctly all incoming email are routed through your spam filter so your exchange box is NOT directly accessible from outside i.e. no external user can use it to relay.

3) check your exchange queues are they suspicious ?

4) When you are sending out emails the IP address you are using (the one that is being blacklisted) is it the same one your clients are using to browse the internet ? if so then the issue is probably that you have an infected client, why not just restrict outgoing SMTP to the IPs of your exchange and/or spam filter ?
0
 

Author Comment

by:alec1836
ID: 24429987
Hi Simon,

I've created an access group called POP3 Relay & allowed only that group to relay. The administrator account is not in the group. However, nor is my account (I'm an administrator as well) & I can still send via Outlook & OWA - is that the correct behaviour?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24430016
Yes I told you previously that the "Allow relaying for computers that has authenticated irrespectively of the list above" checkbox is not for MAPI/OWA clients it is for POP3/IMAP clients
0
 

Author Comment

by:alec1836
ID: 24430065
OK, sorry I'm a bit of a noobie.

So, in my POP3 Relay group I should only have users that are NOT using Outlook or OWA?

All Outlook/OWA clients can relay regardless of those settings because they are MAPI?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24430086
it is not for users NOT using outlook or owa but rather any user using IMAP or POP3 (maybe user is using IMAP and OWA for example)
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24430463
""In fact, don't I need authenticated relay enabled for my users to email externally?""

No, unless you have pop/imap clients.
0
 

Author Comment

by:alec1836
ID: 24432060
OK guys, I've removed all the users that I know to only use Outlook/OWA from my POP3 Relay group.

Akhater, to go back to your 4 questions:

1) No, I can only telnet the external IP of my firewall. This passes all SMTP to my Spam box.
2) All SMTP-OUT is via the Spam box.
3) My queues seem to be ok now, but the problem was last week. I just want to prevent it happeneing again.
4) Yes, the IP that was blacklisted was the external IP of our firewall. The same IP that users will display when browsing the net. The firewall is already configured to only allow outbound SMTP from the Spam box.
0
 
LVL 49

Accepted Solution

by:
Akhater earned 2000 total points
ID: 24432216
Since you answered that your exchange box is not reachable from outside then the spam can't be from outside

since only your Spam box can send SMTP traffic externally I think it is there that you should be checking
0
 

Author Closing Comment

by:alec1836
ID: 31583381
Sorry for the late response, I've been away. Thank you all for your assistance.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question