?
Solved

Exchange Abused - Auth user - which user?

Posted on 2009-07-14
12
Medium Priority
?
808 Views
Last Modified: 2012-05-07
My Exchange server has been abused used to send phising mails, and my ISP has blocked my IP adress. The Exchange server does not accept open relay - but is accepting authenticated users to relay. I Think that some users in our organization is using the same password as username :/ and that the spammers has taken advantage of this.

But how can I see which user that has been abused - Is there a logfile or something where one user might has send a large number of mails?

Regards Steffen
0
Comment
Question by:UpgradeIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
12 Comments
 
LVL 16

Accepted Solution

by:
The_Kirschi earned 600 total points
ID: 24847358
Hi,

have a look at the eventlog. You should see the AUTH connections there.

See: http://windowsitpro.com/article/articleid/42406/exchange-server-smtp-auth-attacks.html

Hope this helps
The kirschi
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24847458
Version of exchange?

Check your settings here, to see whether you are an open relay, whether you have a reverse dns record in place to start with..

http://www.mxtoolbox.com/diagnostic.aspx
0
 

Author Comment

by:UpgradeIT
ID: 24847480
2003.

I dont think i have reverse DNS i only got and a-record pointing to an ip adress - and a mx poiting to that a-record ....

Do i need reverse - it has worked before ... ?

I do not have open relay - but i accept auth users to relay - so if a spammer has guessed a username and password the spammer is able to relay - and i would like to know what users acount the spammer has guessed password to..
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24848513
As The_Kirschi says - check your SMTP logs in c:\windows\system32\logfiles\STPSVC1
Have a look through the latest file(s) and you should see the Date, Time, IP, Username, Sitename etc.
From here - you should be able to see who is abusing you and change their account password to something slightly stronger.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 24848545
Sorry - Finger trouble c:\windows\system32\logfiles\SMTPSVC1 is the correct path.
0
 
LVL 16

Expert Comment

by:The_Kirschi
ID: 24848622
I meant the security log in event viewer actually but SMTP log may also be helpful.
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 300 total points
ID: 24849823
The usual account that is targetted is the Administrator account. If you haven't changed the password on that account then you need to.

Simon.
0
 
LVL 1

Expert Comment

by:Wally_135
ID: 24850218
are you using an MX anti spam service such as messagelabs ? if so lock out your public firewall so it only accepts smtp connections to the providers IP addresses this will prevent further instances of public auth spamming. and once the providers are able to prove you arent spamming any more you will be removed from the blacklist.

Oh and it would be easier to change the Logon name of the administrator account that way the SSID wont change and cause issues with dependant services.

and force a password change on any groups of users who "share passwords" or use comon passwords for department systems and such. just to keep them on there toes. you'll be surpirsed how many "cant quite get used to having there own password".

0
 

Author Comment

by:UpgradeIT
ID: 24857419
In the event manager in security the are just many logon/logoff events - how do I know if it was a relay??

I have also looked in c:\windows\system32\logfiles\SMTPSVC1 - here a bit of that logfile:

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2009-07-15 00:01:46
#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2009-07-15 00:01:46 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 53094 843 4 53094 SMTP - - - -
2009-07-15 00:03:50 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 7656 955 4 7656 SMTP - - - -
2009-07-15 00:06:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4782 1067 4 4782 SMTP - - - -
2009-07-15 00:09:14 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4031 1179 4 4031 SMTP - - - -
2009-07-15 00:12:20 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5766 1291 4 5766 SMTP - - - -
2009-07-15 00:16:06 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 20312 1403 4 20312 SMTP - - - -
2009-07-15 00:18:17 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5922 1515 4 5922 SMTP - - - -
2009-07-15 00:21:36 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 3812 1627 4 3812 SMTP - - - -
2009-07-15 00:24:22 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5750 1739 4 5750 SMTP - - - -
2009-07-15 00:27:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6282 1851 4 6282 SMTP - - - -
2009-07-15 00:31:24 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 36516 1963 4 36516 SMTP - - - -
2009-07-15 00:33:16 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4641 2075 4 4641 SMTP - - - -
2009-07-15 00:36:20 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4828 2187 4 4828 SMTP - - - -
2009-07-15 00:39:17 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5156 2299 4 5156 SMTP - - - -
2009-07-15 00:42:24 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6531 2411 4 6531 SMTP - - - -
2009-07-15 00:46:06 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 25797 2523 4 25797 SMTP - - - -
2009-07-15 00:48:48 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 10859 2635 4 10859 SMTP - - - -
2009-07-15 00:51:43 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 5125 2747 4 5125 SMTP - - - -
2009-07-15 00:54:18 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 6578 2859 4 6578 SMTP - - - -
2009-07-15 00:57:18 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4531 2971 4 4531 SMTP - - - -
2009-07-15 01:01:34 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 40422 3083 4 40422 SMTP - - - -
2009-07-15 01:03:49 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 7469 3195 4 7469 SMTP - - - -
2009-07-15 01:06:15 195.242.120.8 - SMTPSVC1 SBS 192.168.16.110 0 QUIT - - 240 4094 3307 4 4094 SMTP - - - -

How can that logfile be useful??
0
 
LVL 1

Assisted Solution

by:Wally_135
Wally_135 earned 300 total points
ID: 24857646
the event manager in security will show you the user accounts that are logging off. there should be one user or maybe 2 logging on and off consistently.

User Logoff:
       User Name:      user.name
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x45C5348)
       Logon Type:      3


force a password change on those user accounts and change the logon NAME of the administrators account to something else at a minimum.

Also if you have a group of public IP's on your router (ISP dependant) then consider changing the MX route to come through a different IP and update the DNS records to match.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 300 total points
ID: 24857938
The IP address listed above is from Denmark and is listed as COMENDO-AS.
One obvious option is to block the IP / IP range.  This does not get around the issue of a compromised account, but it may buy you some additional time to identify the account that is being abused.
The IP Range on that ISP is 195.242.120.0 to 195.242.121.255 but if you are local to Denmark, which you could be based on your time zone, then that may not be a suitable choice.
If you have very few accounts - you could disable each one, one at a time and then monitor the spam activity.
0
 
LVL 11

Expert Comment

by:tmeunier
ID: 24874586
In Exchange System Manager, set your Transport Logging to minimum, and you'll get an event 1708 from SMTP service in the App event log, that tells you which machine authenticated, and which user.  You can also set local policies > Audit policy > account logon events and you'll get a TON of info, but you can correllate the date/time stamps with the 1708 events to verify which users it is.  Then you can at least narrow down to a handful of users and tell them they must change their passwords.

The funny thing is, when I see this, it's almost always a user like PRINTER or BACKUPUSER or MARKETING, where they made a mailbox and set the password the same as the username.  
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question