Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 811
  • Last Modified:

Spam being relayed through my Exchange Server (SBS 2003)

I have been running an SBS 2003 server for about a year now for my small company.  Yesterday, someone began relaying spam through the server.  Hundreds of thousands of messages were being sent.  I went through some diagnostic and cleanup items that I found online, but again this morning more spam was being relayed.

I am NOT configured as an open relay, according to CheckOR.com

I followed the steps in this article:  http://technet.microsoft.com/en-us/kb/kb00324958.aspx

I never saw an Event ID 1708 authentication event show up in my Event Viewer.

Currently,on the SMTP Virtual Server relay is only granted to my specific users, the Internet Guest Account, and my webserver computer.

From the logs I found what I believe was the originating IP address and I added that to the exclusion list under Connection Control on the SMTP Virtual Server.

There has been no spam since about an hour ago, but we were fine overnight also and then it picked up again this morning.  I am not sure how the spammer was authenticating to my server?

Thank you for your help.
0
benfinkel
Asked:
benfinkel
  • 4
  • 3
1 Solution
 
shauncroucherCommented:
Are you sure they are using your server to send mail? What do you see in your logs?

Do the queues get full of SPAM on the exchange server?

As for Authenticated SPAM relaying, the only people that should be permitted to RELAY mail through your server are external users using POP/IMAP. Any user using Outlook / Outlook Anywhere (RPC over HTTP) or OWA DO NOT need to have rights to authenticate. If all your users are using either Outlook / Outlook Anywhere (RPC over HTTP) or OWA then turn off the right to relay for authenticated users.

Alternatively, make sure that EVERYONE (including the administrator account) changes their password and uses a complex password policy.

If you are not 100% sure it is your mail server sending out SPAM then you will need to run Anti virus scans on all your PC's and ensure there is no SPAM bot running inside your organisation.

Shaun
0
 
shauncroucherCommented:
If you have users on POP/IMAP you can specifially allow these users to relay.
0
 
benfinkelAuthor Commented:
Yes, the queue was full of messages, and I had logging turned on and my log was over 700 megabytes (for a 12 person organization).  

An example of a line entry from the log file:  
2009-7-1      12:23:2 GMT      198.166.44.232      User      exim15.blueyonder.co.uk      [redacted] 128.xxx.xxx.xxx brianl@procare-ltd.co.uk      1031      [redacted]      3      0      2159      50      2009-7-1 12:22:56 GMT      0      Version: 6.0.3790.3959      -      -      mail@customer.halifax.co.uk      -

The IP address: 198.166.44.232 is what I added to the exclusion list.  Halifax.co.uk is a bank so I'm sure these are related to a phishing scam.

All of my users changed their pws this morning, and are using strong pws.

All of the computers are running Kaspersky AV fully updated, both servers included.

I do have one user who uses POP exclusively, and we all utilize POP or IMAP to get email on our mobile phones.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
shauncroucherCommented:
You mention  Internet Guest Account is allowed relay? Why is this granted relay rights?

I'd remove that.

Shaun
0
 
benfinkelAuthor Commented:
I do not know why, that would have come from the default SBS installation.

I will remove that now, thank you.

0
 
shauncroucherCommented:
No problem.

The Internet Guest Account should not be in the list of allowed people to relay.

By default, I believe only the IP of the server and then 'Allow authenticated computers to relay regardless of list' is checked for relay rights.

There is not even a list of users usually, so seems to be away from default here.

Shaun
0
 
benfinkelAuthor Commented:
Okay.

I've made the above changes, and had everyone change their password, and the issue has not returned during the following week.

I hope I have locked down the security hole I had.

Thank you for your help everyone.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now