Spam being relayed through my Exchange Server (SBS 2003)

I have been running an SBS 2003 server for about a year now for my small company.  Yesterday, someone began relaying spam through the server.  Hundreds of thousands of messages were being sent.  I went through some diagnostic and cleanup items that I found online, but again this morning more spam was being relayed.

I am NOT configured as an open relay, according to CheckOR.com

I followed the steps in this article:  http://technet.microsoft.com/en-us/kb/kb00324958.aspx

I never saw an Event ID 1708 authentication event show up in my Event Viewer.

Currently,on the SMTP Virtual Server relay is only granted to my specific users, the Internet Guest Account, and my webserver computer.

From the logs I found what I believe was the originating IP address and I added that to the exclusion list under Connection Control on the SMTP Virtual Server.

There has been no spam since about an hour ago, but we were fine overnight also and then it picked up again this morning.  I am not sure how the spammer was authenticating to my server?

Thank you for your help.
LVL 1
benfinkelAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shauncroucherCommented:
Are you sure they are using your server to send mail? What do you see in your logs?

Do the queues get full of SPAM on the exchange server?

As for Authenticated SPAM relaying, the only people that should be permitted to RELAY mail through your server are external users using POP/IMAP. Any user using Outlook / Outlook Anywhere (RPC over HTTP) or OWA DO NOT need to have rights to authenticate. If all your users are using either Outlook / Outlook Anywhere (RPC over HTTP) or OWA then turn off the right to relay for authenticated users.

Alternatively, make sure that EVERYONE (including the administrator account) changes their password and uses a complex password policy.

If you are not 100% sure it is your mail server sending out SPAM then you will need to run Anti virus scans on all your PC's and ensure there is no SPAM bot running inside your organisation.

Shaun
0
shauncroucherCommented:
If you have users on POP/IMAP you can specifially allow these users to relay.
0
benfinkelAuthor Commented:
Yes, the queue was full of messages, and I had logging turned on and my log was over 700 megabytes (for a 12 person organization).  

An example of a line entry from the log file:  
2009-7-1      12:23:2 GMT      198.166.44.232      User      exim15.blueyonder.co.uk      [redacted] 128.xxx.xxx.xxx brianl@procare-ltd.co.uk      1031      [redacted]      3      0      2159      50      2009-7-1 12:22:56 GMT      0      Version: 6.0.3790.3959      -      -      mail@customer.halifax.co.uk      -

The IP address: 198.166.44.232 is what I added to the exclusion list.  Halifax.co.uk is a bank so I'm sure these are related to a phishing scam.

All of my users changed their pws this morning, and are using strong pws.

All of the computers are running Kaspersky AV fully updated, both servers included.

I do have one user who uses POP exclusively, and we all utilize POP or IMAP to get email on our mobile phones.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

shauncroucherCommented:
You mention  Internet Guest Account is allowed relay? Why is this granted relay rights?

I'd remove that.

Shaun
0
benfinkelAuthor Commented:
I do not know why, that would have come from the default SBS installation.

I will remove that now, thank you.

0
shauncroucherCommented:
No problem.

The Internet Guest Account should not be in the list of allowed people to relay.

By default, I believe only the IP of the server and then 'Allow authenticated computers to relay regardless of list' is checked for relay rights.

There is not even a list of users usually, so seems to be away from default here.

Shaun
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
benfinkelAuthor Commented:
Okay.

I've made the above changes, and had everyone change their password, and the issue has not returned during the following week.

I hope I have locked down the security hole I had.

Thank you for your help everyone.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.