Stop Exchange Server being used to send Spam

Hi Guys,

One of our clients Exchange server is being used to send out mass amounts of Spam, I am struggling to isolate the issue. We have completed thorough scans on all client PCs, changed Passwords etc.

I notice that there are SMTP Current Sessions that last for longer that 5mins, the connected addresses are always from servers that have been Blacklisted.

How are they able to connect and why does the exchange server relay these messages? It apperas the only messages that fail are due to unknown User, all other Spam seems to be relayed?

I have configured the IMF and Barracuda lookups, restricted access to the SMTP Virtual Server to localhost.

Any suggestions would be greatly appreciated, I have detailed the config of the Exchange server below;

Sender ID and Connection Filtering
Perimeter IP List and Internal IP range
1.      Allowed SMTP Servers for Domain.com: 192.168.1.101
Sender Filtering
Blocked Addresses
1.      Filter messages with Blank Senders
2.      Drop Connection if Address matches Filter
3.      Single addresses Blocked: @yourkilt.com
Connection Filtering
Block List Service Configuration
Barracuda Lookups
Exceptions to this rule include the following:
1.      Single addresses allowed: One Entry
Global Accept and Deny Configuration List
1.      Accept: Nil (Performs Barracuda lookup and accepts the connection if it passes the filter
2.      Deny: 60.20.90.0, 80.128.17.240, 123.19.143.144, 202.174.84.241
Recipient Filtering
1.      Filter addresses that are not in Active Directory
Spam Filtering
Gateway Blocking Configuration
Block messages with an SCL greater than 8
Store Junk Email Configuration
Move messages with an SCL greater than 7 to the users Junk Email Folder
Sender ID Filtering
Accept: The Sender ID will be attached for further Spam processing.

SMTP Server Configuration
Access Control

Authentication
1.      Anonymous
2.      Basic Authentication
3.      Integrated Windows Authentication
Allow all computers which successfully authenticate to relay, regardless of the list above: Disabled
Grant or Deny submit permissions to specific Users or Groups
Submitt: Authenticated users
Reverse DNS Lookups are enabled
SMTP Connector
1.      Use DNS to route to each address space
Do not allow Public Referals
Entire Organisation
Connected Routing Groups: None
Do not send etrun/turn


SMTP Diagnostics Results

smtp:dacstar.com               smtp    
220 control3.tppinternet.net.au ESMTP


 Not an open relay.
  0 seconds - Good on Connection time
  1.498 seconds - Good on Transaction time
  OK - 202.47.4.163 resolves to control3.tppinternet.net.au
  OK - Reverse DNS matches SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 control3.tppinternet.net.au [187 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 ok [920 ms]
RCPT TO: <test@example.com>
553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1) [203 ms]
QUIT
221 control3.tppinternet.net.au [187 ms
proactiveitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mangofourCommented:
Hi,

check out this article:

http://technet.microsoft.com/en-us/kb/kb00324958.aspx


I would make sure that you check out the "Configure the Exchange Server to block open SMTP relaying" section
0
Encrypted1024Commented:
Seams you are not the only one with this problem today:
http://www.experts-exchange.com/expertsZone.jsp 
0
B HCommented:
ok your smtp server isn't an open relay - i generally dont trust pasted reports so i verified it for myself.

so, your next step should be to go into your head-end router/firewall

set a rule that says to DENY any outbound tcp port 25 traffic except from your exchange server (or barracuda if you proxy outbound)

that way, you can be certain that only your server is sending mail (blocking the port won't hurt internal users from sending internal or external mail thru exchange, like they should be doing)

if the router/firewall supports seeing the status of live traffic, see who is sending out to destination port 25 from inside to outside, and light a fire under that machine (if it's a workstation)

if that doesn't fix the problem, then your server itself has a virus.  best to get a packet scanner on the server, filter for in or out 25, see what happens.

it wouldnt hurt to run malwarebytes on the server (www.malwarebytes.org) and see what it finds.

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Alan HardistyCo-OwnerCommented:
My article should help you out here:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
Sounds like you are an authenticated relay and you will need to track down the abused account.
If you don't have many users (as you are on SBS), you may want to change everyone's password (including the administrator) and that should solve the problem.
Also make sure you don't have 127.0.0.1 added to the list of allowed relays in the SMTP Virtual Server Relay settings.
0
Ben-RoseCommented:
Hi All,
Sorry to join this late but I had the exact same issue on one of my SBS networks.
I agree with AlanHardisty that it sounds like an abused account because in my situation this is what I found to be the problem.

Whilst you search for the abused account or reset all your AD user accounts the easiest way to stop this happening is to un-tick the option to "Allow all computers which successfully authenticate to relay, regardless of the list above."

Please note though that your Relay Restrictions by IP address must be setup correctly first.  I have included the image below which should help.
Untitled.jpg
0
proactiveitAuthor Commented:
Thanks for the replies!

I have completed thorough scans including Malwarebytes & McAfee Ent. I have Wireshark Protocol Analyser installed, I can see connections being rejected by Barracuda! I totally disabled Relaying by Unchecking "Allow all computers which successfully authenticate to relay, regardless of the list above". I also unchecked Relay permissions for Authenticated Users and watched all day as mail was relayed to other domains. I did have 127.0.0.1 as the only server able to Relay, is there a difference between configuring 127.0.0.1 as opposed to the servers actual IP address?

Currently installing Sophos Puremessage hoping this will help, would love to hear your views on this product.

Thanks Again!
0
B HCommented:
no, but why do you need the server's ip address in there anyway?  just leave it blank

the server doesnt relay off itself it initiates the send directly out via dns to the recipient mx
0
Ben-RoseCommented:
I may be wrong but does the address 127.0.0.1 not need to be entered to allow incoming smtp requests from external senders to email users hosted on the local exchange?

I know as a default the 127.0.0.1 address is already entered in and I currently have this setup on numerous networks with out issue.

I would recommend leaving this setting alone and as stated above only untick the "Allow all computers which successfully authenticate to relay, regardless of the list above."

This should then disable the Authenticated Relay Issues.
0
B HCommented:
and if you have an ISA server, or in this case the barracuda proxying things, having 127.0.0.1 does open it up to be an open relay:
http://support.microsoft.com/kb/324958
0
Alan HardistyCo-OwnerCommented:
My article should be all you need.
Turn up diagnostic logging as detailed in my article and keep an eye on your Event logs.  If you are still an authenticated relay, then the user account should pop up quite quickly.
As an alternative, install a trial of Vamsoft ORF - www.vamsoft.com - then configure it to run all the checks, but leave it in test mode - it will log everything, but not reject any mail.
Vamsoft logs are brilliant and you should be able to see the dates / times of mail being send from an authenticated account as the sender address and recipient address will not be from a domain on your server.
Using the date / time from the logs, you can check back with your Security logs and locate the account being used.  You then just change the password to the account and problem solved.
Next step is cleanup - link in my article, then either continue to use Vamsoft on trial for the 30 days free, or uninstall it.  Personally, I would keep it.  Best $239 you will ever spend.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
B HCommented:
hey alan, not to threadjack or anything but can you help this guy out over here, i'm at the end of my experience on this one:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_25844636.html?cid=1572#a30675187
0
Alan HardistyCo-OwnerCommented:
Will take a look for you.
0
proactiveitAuthor Commented:
Thanks Alan! ORF gave me the info required to stop the attack. Thanks for your input!!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.