Exchange Abused - Auth user - which user?

My Exchange server has been abused used to send phising mails, and my ISP has blocked my IP adress. The Exchange server does not accept open relay - but is accepting authenticated users to relay. I Think that some users in our organization is using the same password as username :/ and that the spammers has taken advantage of this.

But how can I see which user that has been abused - Is there a logfile or something where one user might has send a large number of mails?

Regards Steffen
UpgradeITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

The_KirschiCommented:
Hi,

have a look at the eventlog. You should see the AUTH connections there.

See: http://windowsitpro.com/article/articleid/42406/exchange-server-smtp-auth-attacks.html

Hope this helps
The kirschi
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Version of exchange?

Check your settings here, to see whether you are an open relay, whether you have a reverse dns record in place to start with..

http://www.mxtoolbox.com/diagnostic.aspx
0
UpgradeITAuthor Commented:
2003.

I dont think i have reverse DNS i only got and a-record pointing to an ip adress - and a mx poiting to that a-record ....

Do i need reverse - it has worked before ... ?

I do not have open relay - but i accept auth users to relay - so if a spammer has guessed a username and password the spammer is able to relay - and i would like to know what users acount the spammer has guessed password to..
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Alan HardistyCo-OwnerCommented:
As The_Kirschi says - check your SMTP logs in c:\windows\system32\logfiles\STPSVC1
Have a look through the latest file(s) and you should see the Date, Time, IP, Username, Sitename etc.
From here - you should be able to see who is abusing you and change their account password to something slightly stronger.
0
Alan HardistyCo-OwnerCommented:
Sorry - Finger trouble c:\windows\system32\logfiles\SMTPSVC1 is the correct path.
0
The_KirschiCommented:
I meant the security log in event viewer actually but SMTP log may also be helpful.
0
MesthaCommented:
The usual account that is targetted is the Administrator account. If you haven't changed the password on that account then you need to.

Simon.
0
Wally_135Commented:
are you using an MX anti spam service such as messagelabs ? if so lock out your public firewall so it only accepts smtp connections to the providers IP addresses this will prevent further instances of public auth spamming. and once the providers are able to prove you arent spamming any more you will be removed from the blacklist.

Oh and it would be easier to change the Logon name of the administrator account that way the SSID wont change and cause issues with dependant services.

and force a password change on any groups of users who "share passwords" or use comon passwords for department systems and such. just to keep them on there toes. you'll be surpirsed how many "cant quite get used to having there own password".

0
UpgradeITAuthor Commented:
In the event manager in security the are just many logon/logoff events - how do I know if it was a relay??

I have also looked in c:\windows\system32\logfiles\SMTPSVC1 - here a bit of that logfile:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-15 00:01:46
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2009-07-15 00:01:46 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 53094 843 4 53094 SMTP - - - -
2009-07-15 00:03:50 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 7656 955 4 7656 SMTP - - - -
2009-07-15 00:06:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4782 1067 4 4782 SMTP - - - -
2009-07-15 00:09:14 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4031 1179 4 4031 SMTP - - - -
2009-07-15 00:12:20 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5766 1291 4 5766 SMTP - - - -
2009-07-15 00:16:06 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 20312 1403 4 20312 SMTP - - - -
2009-07-15 00:18:17 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5922 1515 4 5922 SMTP - - - -
2009-07-15 00:21:36 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 3812 1627 4 3812 SMTP - - - -
2009-07-15 00:24:22 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5750 1739 4 5750 SMTP - - - -
2009-07-15 00:27:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6282 1851 4 6282 SMTP - - - -
2009-07-15 00:31:24 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 36516 1963 4 36516 SMTP - - - -
2009-07-15 00:33:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4641 2075 4 4641 SMTP - - - -
2009-07-15 00:36:20 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4828 2187 4 4828 SMTP - - - -
2009-07-15 00:39:17 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5156 2299 4 5156 SMTP - - - -
2009-07-15 00:42:24 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6531 2411 4 6531 SMTP - - - -
2009-07-15 00:46:06 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 25797 2523 4 25797 SMTP - - - -
2009-07-15 00:48:48 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 10859 2635 4 10859 SMTP - - - -
2009-07-15 00:51:43 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5125 2747 4 5125 SMTP - - - -
2009-07-15 00:54:18 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6578 2859 4 6578 SMTP - - - -
2009-07-15 00:57:18 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4531 2971 4 4531 SMTP - - - -
2009-07-15 01:01:34 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 40422 3083 4 40422 SMTP - - - -
2009-07-15 01:03:49 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 7469 3195 4 7469 SMTP - - - -
2009-07-15 01:06:15 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4094 3307 4 4094 SMTP - - - -

How can that logfile be useful??
0
Wally_135Commented:
the event manager in security will show you the user accounts that are logging off. there should be one user or maybe 2 logging on and off consistently.

User Logoff:
       User Name:      user.name
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x45C5348)
       Logon Type:      3


force a password change on those user accounts and change the logon NAME of the administrators account to something else at a minimum.

Also if you have a group of public IP's on your router (ISP dependant) then consider changing the MX route to come through a different IP and update the DNS records to match.
0
Alan HardistyCo-OwnerCommented:
The IP address listed above is from Denmark and is listed as COMENDO-AS.
One obvious option is to block the IP / IP range.  This does not get around the issue of a compromised account, but it may buy you some additional time to identify the account that is being abused.
The IP Range on that ISP is 195.242.120.0 to 195.242.121.255 but if you are local to Denmark, which you could be based on your time zone, then that may not be a suitable choice.
If you have very few accounts - you could disable each one, one at a time and then monitor the spam activity.
0
tmeunierCommented:
In Exchange System Manager, set your Transport Logging to minimum, and you'll get an event 1708 from SMTP service in the App event log, that tells you which machine authenticated, and which user.  You can also set local policies > Audit policy > account logon events and you'll get a TON of info, but you can correllate the date/time stamps with the 1708 events to verify which users it is.  Then you can at least narrow down to a handful of users and tell them they must change their passwords.

The funny thing is, when I see this, it's almost always a user like PRINTER or BACKUPUSER or MARKETING, where they made a mailbox and set the password the same as the username.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.