We help IT Professionals succeed at work.

Spam being relayed through my Exchange Server (SBS 2003)

benfinkel
benfinkel asked
on
837 Views
Last Modified: 2013-11-30
I have been running an SBS 2003 server for about a year now for my small company.  Yesterday, someone began relaying spam through the server.  Hundreds of thousands of messages were being sent.  I went through some diagnostic and cleanup items that I found online, but again this morning more spam was being relayed.

I am NOT configured as an open relay, according to CheckOR.com

I followed the steps in this article:  http://technet.microsoft.com/en-us/kb/kb00324958.aspx

I never saw an Event ID 1708 authentication event show up in my Event Viewer.

Currently,on the SMTP Virtual Server relay is only granted to my specific users, the Internet Guest Account, and my webserver computer.

From the logs I found what I believe was the originating IP address and I added that to the exclusion list under Connection Control on the SMTP Virtual Server.

There has been no spam since about an hour ago, but we were fine overnight also and then it picked up again this morning.  I am not sure how the spammer was authenticating to my server?

Thank you for your help.
Comment
Watch Question

Are you sure they are using your server to send mail? What do you see in your logs?

Do the queues get full of SPAM on the exchange server?

As for Authenticated SPAM relaying, the only people that should be permitted to RELAY mail through your server are external users using POP/IMAP. Any user using Outlook / Outlook Anywhere (RPC over HTTP) or OWA DO NOT need to have rights to authenticate. If all your users are using either Outlook / Outlook Anywhere (RPC over HTTP) or OWA then turn off the right to relay for authenticated users.

Alternatively, make sure that EVERYONE (including the administrator account) changes their password and uses a complex password policy.

If you are not 100% sure it is your mail server sending out SPAM then you will need to run Anti virus scans on all your PC's and ensure there is no SPAM bot running inside your organisation.

Shaun
If you have users on POP/IMAP you can specifially allow these users to relay.

Author

Commented:
Yes, the queue was full of messages, and I had logging turned on and my log was over 700 megabytes (for a 12 person organization).  

An example of a line entry from the log file:  
2009-7-1      12:23:2 GMT      198.166.44.232      User      exim15.blueyonder.co.uk      [redacted] 128.xxx.xxx.xxx brianl@procare-ltd.co.uk      1031      [redacted]      3      0      2159      50      2009-7-1 12:22:56 GMT      0      Version: 6.0.3790.3959      -      -      mail@customer.halifax.co.uk      -

The IP address: 198.166.44.232 is what I added to the exclusion list.  Halifax.co.uk is a bank so I'm sure these are related to a phishing scam.

All of my users changed their pws this morning, and are using strong pws.

All of the computers are running Kaspersky AV fully updated, both servers included.

I do have one user who uses POP exclusively, and we all utilize POP or IMAP to get email on our mobile phones.
You mention  Internet Guest Account is allowed relay? Why is this granted relay rights?

I'd remove that.

Shaun

Author

Commented:
I do not know why, that would have come from the default SBS installation.

I will remove that now, thank you.

Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Okay.

I've made the above changes, and had everyone change their password, and the issue has not returned during the following week.

I hope I have locked down the security hole I had.

Thank you for your help everyone.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.