Solved

Exchange Abused - Auth user - which user?

Posted on 2009-07-14
12
787 Views
Last Modified: 2012-05-07
My Exchange server has been abused used to send phising mails, and my ISP has blocked my IP adress. The Exchange server does not accept open relay - but is accepting authenticated users to relay. I Think that some users in our organization is using the same password as username :/ and that the spammers has taken advantage of this.

But how can I see which user that has been abused - Is there a logfile or something where one user might has send a large number of mails?

Regards Steffen
0
Comment
Question by:UpgradeIT
  • 3
  • 2
  • 2
  • +4
12 Comments
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 200 total points
ID: 24847358
Hi,

have a look at the eventlog. You should see the AUTH connections there.

See: http://windowsitpro.com/article/articleid/42406/exchange-server-smtp-auth-attacks.html

Hope this helps
The kirschi
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24847458
Version of exchange?

Check your settings here, to see whether you are an open relay, whether you have a reverse dns record in place to start with..

http://www.mxtoolbox.com/diagnostic.aspx
0
 

Author Comment

by:UpgradeIT
ID: 24847480
2003.

I dont think i have reverse DNS i only got and a-record pointing to an ip adress - and a mx poiting to that a-record ....

Do i need reverse - it has worked before ... ?

I do not have open relay - but i accept auth users to relay - so if a spammer has guessed a username and password the spammer is able to relay - and i would like to know what users acount the spammer has guessed password to..
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24848513
As The_Kirschi says - check your SMTP logs in c:\windows\system32\logfiles\STPSVC1
Have a look through the latest file(s) and you should see the Date, Time, IP, Username, Sitename etc.
From here - you should be able to see who is abusing you and change their account password to something slightly stronger.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24848545
Sorry - Finger trouble c:\windows\system32\logfiles\SMTPSVC1 is the correct path.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 24848622
I meant the security log in event viewer actually but SMTP log may also be helpful.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 100 total points
ID: 24849823
The usual account that is targetted is the Administrator account. If you haven't changed the password on that account then you need to.

Simon.
0
 
LVL 1

Expert Comment

by:Wally_135
ID: 24850218
are you using an MX anti spam service such as messagelabs ? if so lock out your public firewall so it only accepts smtp connections to the providers IP addresses this will prevent further instances of public auth spamming. and once the providers are able to prove you arent spamming any more you will be removed from the blacklist.

Oh and it would be easier to change the Logon name of the administrator account that way the SSID wont change and cause issues with dependant services.

and force a password change on any groups of users who "share passwords" or use comon passwords for department systems and such. just to keep them on there toes. you'll be surpirsed how many "cant quite get used to having there own password".

0
 

Author Comment

by:UpgradeIT
ID: 24857419
In the event manager in security the are just many logon/logoff events - how do I know if it was a relay??

I have also looked in c:\windows\system32\logfiles\SMTPSVC1 - here a bit of that logfile:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-15 00:01:46
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2009-07-15 00:01:46 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 53094 843 4 53094 SMTP - - - -
2009-07-15 00:03:50 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 7656 955 4 7656 SMTP - - - -
2009-07-15 00:06:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4782 1067 4 4782 SMTP - - - -
2009-07-15 00:09:14 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4031 1179 4 4031 SMTP - - - -
2009-07-15 00:12:20 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5766 1291 4 5766 SMTP - - - -
2009-07-15 00:16:06 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 20312 1403 4 20312 SMTP - - - -
2009-07-15 00:18:17 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5922 1515 4 5922 SMTP - - - -
2009-07-15 00:21:36 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 3812 1627 4 3812 SMTP - - - -
2009-07-15 00:24:22 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5750 1739 4 5750 SMTP - - - -
2009-07-15 00:27:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6282 1851 4 6282 SMTP - - - -
2009-07-15 00:31:24 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 36516 1963 4 36516 SMTP - - - -
2009-07-15 00:33:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4641 2075 4 4641 SMTP - - - -
2009-07-15 00:36:20 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4828 2187 4 4828 SMTP - - - -
2009-07-15 00:39:17 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5156 2299 4 5156 SMTP - - - -
2009-07-15 00:42:24 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6531 2411 4 6531 SMTP - - - -
2009-07-15 00:46:06 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 25797 2523 4 25797 SMTP - - - -
2009-07-15 00:48:48 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 10859 2635 4 10859 SMTP - - - -
2009-07-15 00:51:43 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5125 2747 4 5125 SMTP - - - -
2009-07-15 00:54:18 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6578 2859 4 6578 SMTP - - - -
2009-07-15 00:57:18 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4531 2971 4 4531 SMTP - - - -
2009-07-15 01:01:34 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 40422 3083 4 40422 SMTP - - - -
2009-07-15 01:03:49 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 7469 3195 4 7469 SMTP - - - -
2009-07-15 01:06:15 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4094 3307 4 4094 SMTP - - - -

How can that logfile be useful??
0
 
LVL 1

Assisted Solution

by:Wally_135
Wally_135 earned 100 total points
ID: 24857646
the event manager in security will show you the user accounts that are logging off. there should be one user or maybe 2 logging on and off consistently.

User Logoff:
       User Name:      user.name
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x45C5348)
       Logon Type:      3


force a password change on those user accounts and change the logon NAME of the administrators account to something else at a minimum.

Also if you have a group of public IP's on your router (ISP dependant) then consider changing the MX route to come through a different IP and update the DNS records to match.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 100 total points
ID: 24857938
The IP address listed above is from Denmark and is listed as COMENDO-AS.
One obvious option is to block the IP / IP range.  This does not get around the issue of a compromised account, but it may buy you some additional time to identify the account that is being abused.
The IP Range on that ISP is 195.242.120.0 to 195.242.121.255 but if you are local to Denmark, which you could be based on your time zone, then that may not be a suitable choice.
If you have very few accounts - you could disable each one, one at a time and then monitor the spam activity.
0
 
LVL 11

Expert Comment

by:tmeunier
ID: 24874586
In Exchange System Manager, set your Transport Logging to minimum, and you'll get an event 1708 from SMTP service in the App event log, that tells you which machine authenticated, and which user.  You can also set local policies > Audit policy > account logon events and you'll get a TON of info, but you can correllate the date/time stamps with the 1708 events to verify which users it is.  Then you can at least narrow down to a handful of users and tell them they must change their passwords.

The funny thing is, when I see this, it's almost always a user like PRINTER or BACKUPUSER or MARKETING, where they made a mailbox and set the password the same as the username.  
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now