• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 836
  • Last Modified:

Exchange Compromised? Possible Botnet

I'm having an issue with an Exchange 2003 server where the Queue is slowly filling up with emails it can't send (remote servers come back non-responding).  The emails are all over the board and I can't find a common thing.  For a while the big email target was fbi.gov, not it seems to be Western Union.  I have scanned for viruses and malware on all the PCs of the clients computers, but come up with nothing.  They have a WatchGuard X55e firewall, so logging is sparse.  I assume I have some sort-of botnet on the network somewhere, but I am having trouble tracking it down.  Exchange is running on an SBS2003 server.
0
protechcol
Asked:
protechcol
  • 4
  • 3
1 Solution
 
Syed Mutahir AliTechnology ConsultantCommented:
http://alanhardisty.wordpress.com/2010/02/11/why-are-my-outbound-queues-filling-up-with-mail-that-we-didnt-send/

Have a read through of the article

Also, make sure that on your firewall only exchange server is allowed to use Port 25 and no client pcs (not directly related to this problem but helps)
0
 
Syed Mutahir AliTechnology ConsultantCommented:
do you normally send emails to western union or fbi.gov ? if not than "Alan's" article should help you get this sorted


0
 
pine_nel1Commented:
Hi protechcol,

What do the current sessions under your protocols -> SMTP look like (any pattern there) ?

Thanks

Pine
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
protechcolAuthor Commented:
Mutahir, no the client doesn't send to FBI or Western Union.  They are a small local construction company.  I will read Alan's article and see if it answers my problem.

pine_nel1, at this very moment the current sessions are empty (not sure anyone is in office yet either).  But before I saw something along the lines of each Exchange user had 10 connections and then there was a bunch of random SMTP_<jumble of letters and numbers> connections.
0
 
Syed Mutahir AliTechnology ConsultantCommented:
check on www.mxtoolbox.com
to see if your server is an open relay

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

follow the article too and verify if your system isn't relaying .
0
 
protechcolAuthor Commented:
I know it's not an open-relay.  That was actually the first thing I thought when this all started.  I had read an article similar to Alan's article, and already changed settings for an NDR Attack which cut down on the emails considerably but not completely.  I used Alan's information on Authenticated Relay to find out I had 2 AD accounts compromised.  So I disabled one (no longer used) and changed the password on the other.  I will continue to monitor this but I do believe we are good to go now.  Thanks.
0
 
Syed Mutahir AliTechnology ConsultantCommented:
Thats great, Alan's article has helped alot of people around here and in general.

Glad that it has helped.
0
 
protechcolAuthor Commented:
The suggested article was exactly what I needed, because unfortunately I was victim to both types of attack, not one or the other as most articles reflect.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now