Solved

Spam being relayed through my Exchange Server (SBS 2003)

Posted on 2009-07-01
7
776 Views
Last Modified: 2013-11-30
I have been running an SBS 2003 server for about a year now for my small company.  Yesterday, someone began relaying spam through the server.  Hundreds of thousands of messages were being sent.  I went through some diagnostic and cleanup items that I found online, but again this morning more spam was being relayed.

I am NOT configured as an open relay, according to CheckOR.com

I followed the steps in this article:  http://technet.microsoft.com/en-us/kb/kb00324958.aspx

I never saw an Event ID 1708 authentication event show up in my Event Viewer.

Currently,on the SMTP Virtual Server relay is only granted to my specific users, the Internet Guest Account, and my webserver computer.

From the logs I found what I believe was the originating IP address and I added that to the exclusion list under Connection Control on the SMTP Virtual Server.

There has been no spam since about an hour ago, but we were fine overnight also and then it picked up again this morning.  I am not sure how the spammer was authenticating to my server?

Thank you for your help.
0
Comment
Question by:benfinkel
  • 4
  • 3
7 Comments
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24755074
Are you sure they are using your server to send mail? What do you see in your logs?

Do the queues get full of SPAM on the exchange server?

As for Authenticated SPAM relaying, the only people that should be permitted to RELAY mail through your server are external users using POP/IMAP. Any user using Outlook / Outlook Anywhere (RPC over HTTP) or OWA DO NOT need to have rights to authenticate. If all your users are using either Outlook / Outlook Anywhere (RPC over HTTP) or OWA then turn off the right to relay for authenticated users.

Alternatively, make sure that EVERYONE (including the administrator account) changes their password and uses a complex password policy.

If you are not 100% sure it is your mail server sending out SPAM then you will need to run Anti virus scans on all your PC's and ensure there is no SPAM bot running inside your organisation.

Shaun
0
 
LVL 27

Expert Comment

by:shauncroucher
ID: 24755087
If you have users on POP/IMAP you can specifially allow these users to relay.
0
 
LVL 1

Author Comment

by:benfinkel
ID: 24755371
Yes, the queue was full of messages, and I had logging turned on and my log was over 700 megabytes (for a 12 person organization).  

An example of a line entry from the log file:  
2009-7-1      12:23:2 GMT      198.166.44.232      User      exim15.blueyonder.co.uk      [redacted] 128.xxx.xxx.xxx brianl@procare-ltd.co.uk      1031      [redacted]      3      0      2159      50      2009-7-1 12:22:56 GMT      0      Version: 6.0.3790.3959      -      -      mail@customer.halifax.co.uk      -

The IP address: 198.166.44.232 is what I added to the exclusion list.  Halifax.co.uk is a bank so I'm sure these are related to a phishing scam.

All of my users changed their pws this morning, and are using strong pws.

All of the computers are running Kaspersky AV fully updated, both servers included.

I do have one user who uses POP exclusively, and we all utilize POP or IMAP to get email on our mobile phones.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 27

Expert Comment

by:shauncroucher
ID: 24755426
You mention  Internet Guest Account is allowed relay? Why is this granted relay rights?

I'd remove that.

Shaun
0
 
LVL 1

Author Comment

by:benfinkel
ID: 24756045
I do not know why, that would have come from the default SBS installation.

I will remove that now, thank you.

0
 
LVL 27

Accepted Solution

by:
shauncroucher earned 500 total points
ID: 24756257
No problem.

The Internet Guest Account should not be in the list of allowed people to relay.

By default, I believe only the IP of the server and then 'Allow authenticated computers to relay regardless of list' is checked for relay rights.

There is not even a list of users usually, so seems to be away from default here.

Shaun
0
 
LVL 1

Author Comment

by:benfinkel
ID: 24803918
Okay.

I've made the above changes, and had everyone change their password, and the issue has not returned during the following week.

I hope I have locked down the security hole I had.

Thank you for your help everyone.
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
This video discusses moving either the default database or any database to a new volume.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now