Solved

Spam being relayed through my Exchange Server (SBS 2003)

Posted on 2009-07-01
7
777 Views
Last Modified: 2013-11-30
I have been running an SBS 2003 server for about a year now for my small company.  Yesterday, someone began relaying spam through the server.  Hundreds of thousands of messages were being sent.  I went through some diagnostic and cleanup items that I found online, but again this morning more spam was being relayed.

I am NOT configured as an open relay, according to CheckOR.com

I followed the steps in this article:  http://technet.microsoft.com/en-us/kb/kb00324958.aspx

I never saw an Event ID 1708 authentication event show up in my Event Viewer.

Currently,on the SMTP Virtual Server relay is only granted to my specific users, the Internet Guest Account, and my webserver computer.

From the logs I found what I believe was the originating IP address and I added that to the exclusion list under Connection Control on the SMTP Virtual Server.

There has been no spam since about an hour ago, but we were fine overnight also and then it picked up again this morning.  I am not sure how the spammer was authenticating to my server?

Thank you for your help.
0
Comment
Question by:benfinkel
  • 4
  • 3
7 Comments
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24755074
Are you sure they are using your server to send mail? What do you see in your logs?

Do the queues get full of SPAM on the exchange server?

As for Authenticated SPAM relaying, the only people that should be permitted to RELAY mail through your server are external users using POP/IMAP. Any user using Outlook / Outlook Anywhere (RPC over HTTP) or OWA DO NOT need to have rights to authenticate. If all your users are using either Outlook / Outlook Anywhere (RPC over HTTP) or OWA then turn off the right to relay for authenticated users.

Alternatively, make sure that EVERYONE (including the administrator account) changes their password and uses a complex password policy.

If you are not 100% sure it is your mail server sending out SPAM then you will need to run Anti virus scans on all your PC's and ensure there is no SPAM bot running inside your organisation.

Shaun
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24755087
If you have users on POP/IMAP you can specifially allow these users to relay.
0
 
LVL 1

Author Comment

by:benfinkel
ID: 24755371
Yes, the queue was full of messages, and I had logging turned on and my log was over 700 megabytes (for a 12 person organization).  

An example of a line entry from the log file:  
2009-7-1      12:23:2 GMT      198.166.44.232      User      exim15.blueyonder.co.uk      [redacted] 128.xxx.xxx.xxx brianl@procare-ltd.co.uk      1031      [redacted]      3      0      2159      50      2009-7-1 12:22:56 GMT      0      Version: 6.0.3790.3959      -      -      mail@customer.halifax.co.uk      -

The IP address: 198.166.44.232 is what I added to the exclusion list.  Halifax.co.uk is a bank so I'm sure these are related to a phishing scam.

All of my users changed their pws this morning, and are using strong pws.

All of the computers are running Kaspersky AV fully updated, both servers included.

I do have one user who uses POP exclusively, and we all utilize POP or IMAP to get email on our mobile phones.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 27

Expert Comment

by:shauncroucher
ID: 24755426
You mention  Internet Guest Account is allowed relay? Why is this granted relay rights?

I'd remove that.

Shaun
0
 
LVL 1

Author Comment

by:benfinkel
ID: 24756045
I do not know why, that would have come from the default SBS installation.

I will remove that now, thank you.

0
 
LVL 27

Accepted Solution

by:
shauncroucher earned 500 total points
ID: 24756257
No problem.

The Internet Guest Account should not be in the list of allowed people to relay.

By default, I believe only the IP of the server and then 'Allow authenticated computers to relay regardless of list' is checked for relay rights.

There is not even a list of users usually, so seems to be away from default here.

Shaun
0
 
LVL 1

Author Comment

by:benfinkel
ID: 24803918
Okay.

I've made the above changes, and had everyone change their password, and the issue has not returned during the following week.

I hope I have locked down the security hole I had.

Thank you for your help everyone.
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now