We help IT Professionals succeed at work.

Directory Harvest Attack

econn31
econn31 asked
on
What at first I thought was an NDR attack (when I went to change my recipient filtering I learning that it had already been applied and everything was in place to prevent NDR), I believe is a Directory Harvest Attack - the exchange que is enormous and it seems from wireshark that someone is trying to guess common names on our domain. Does anyone know the series of steps required to stop this attack and clean our system? (our network is 100-200 clients) Thank you
Comment
Watch Question

Mahmoud SabrySenior IT Systems Engineer

Commented:
install antispam in exchange server, setup spf recotd for your domain in public dns server, enable sender ID on antispam properties
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Install Vamsoft ORF - www.vamsoft.com - 30 day trial - $239 if you decide to buy it.  It will block DHA simply and quickly.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Question is - if people are guessing your user names and they are wrong and you have Recipient Filtering enabled, there should be nothing in the queues.
Sounds like you have a different problem and need to identify the issue.
Who are the senders? Random users or postmaster?
If they are random users - you probably have an authenticated attack, which means you have an account whose password has been breached and that is why the mail is coming in in floods.
Vamsoft will help you to identify the problem. What version of Exchange have you got?

Author

Commented:
Hey alanhardisty,

the senders seem to be random and they're also seem to be a lot sent by postmaster. I think you could be right about the authenticated attack.

I downloaded and installed vamsoft and we have microsoft exchange 2003
Alan HardistyCo-Owner
Top Expert 2011

Commented:

Author

Commented:
Hey Alan,

The article was awesome and very easy to follow. I’m still experiencing the same issue however. The queues on MX 2003 are filling up faster than I can delete them (the aqadmcli is a nifty program btw). I’ve made sure recipient filtering is on and I’ve downloaded and installed the ORF spam filter. I checked to see whether we were an open relay, but the only exception in the list was the IP of the mail server itself. I then checked to see if an authenticated user was relaying. I followed the steps and when I clicked on the application log in the event viewer I saw several of these:

Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 30/08/2004
Time: 15:45:08
User: N/A
Computer: EXCH-SRV1
Description: SMTP Authentication was performed successfully with client test-pc1. The authentication method was LOGIN and the username was domain\username.

When I clicked on them to get a description the only email addresses I saw were a crazy series of letters and numbers followed by @(our domain).

Also, something that may be of note. When I go to “current sessions” I will often find a couple of users who I don’t recognize in there and then I will terminate them. Is there anything else I can do to try and stop all of this spam going out?

Thanks again for getting me this far.

Author

Commented:
Although i should add the Event ID in the application log was not a 1708 it was mostly 7004 with some 7002's and 257's.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Random senders indicate an abused account on your server.
How many users do you have on the server?  If only a handful - change ALL the passwords.  If lots, then we need to track down the user.
Use the Vamsoft Logs and filter on the Class = Whitelist | Filtering Point = On Arrival | Message = Authenticated Session
That should show up the authenticated emails.  If you look in the logs now at the Sender and Recipient columns, you should probably see a sender that is spewing out mail with the same address.
Check the start time of the first message and then cross-reference the Security logs on the server for the account that was used if not shown in Vamsoft.

Author

Commented:
Thanks, I created the filter above and what i get is that one sender a wazirirfcce@live.com is sending mail to a ton of random addresses. Does not look like a sender on our network is the source. Question: when i look at the queues for the outgoing mail, should there be a ton of folders all with things like live.com, alltel.net, attbi.net, etc. etc?? Because there are around a 1000 folders all with names like that.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If you tell your users to stop sending mail, change your SMTP connector, add a Smarthost of [99.99.99.99], set the domain scope to * - then all mail will try to send down a single queue and won't go anywhere.
Then set your Mail timeout to be 3 minutes for all settings on the SMTP virtual server (note down settings before changing them) and that will timout all the mail very quickly.
Ignore the sender of the mail.  Look at Vamsoft and see the start of the flood.  Check the date / time and then cross reference it to the security log.  That should identify a user account.
Change the password to the user account and restart SMTP service.
New spam should stop, existing spam will timout, then put everything back how it was, consider stronger password security and force password changes regularly if not already in force.

Author

Commented:
Gotcha - i will give that a go. The only thing i'm unclear about is the security Log. I'll search for it, where would i find that, is it on the mail server? Sorry, again... new to this and thanks again for the help

Author

Commented:
nevermind, found it
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You found the account in the log or the log?

Author

Commented:
I think i found them and there is more than one - will change those passwords. Also, there was no SMTP connector, so i created one. Does that sound right. I expanded Routing Groups>(our domain)>connectors
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Yes - that's fine to create one.
Good news - sounds like you are making good progress.
Make sure you set strong passwords and once done - restart the Simple Mail Transfer Protocol Service.

Author

Commented:
I found the times of the deliquent spammer and matched them to the times from the security log
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You have to love Vamsoft : )

Author

Commented:
yea - they make it easy. Thanks for all your help, i'm just going to make sure that i can smoothly change passwords without screwing anything up for that group of staffers. Then hopefully that will take care of things. I should probably go ahead and change everyone's password while i'm at it
Alan HardistyCo-Owner
Top Expert 2011

Commented:
All 200 - could be a while, but not a bad idea.
You can force a strong policy, force changes every 30 days, and then force change at next logon and then you don't have to change them all - they get to do it.
The queue will take a while to empty but once clear, set the SMTP Connector back to DNS and the SMTP Message timeouts back to whatever they were before.
Then make sure you are not Blacklisted on www.mxtoolbox.com/aspx and request de-listing from them all.  If you are on Tiopan - ignore them - you will drop off after a week and the same for SORBS.

Author

Commented:
Gotcha will do - will it have been enough for me to see all the times on the vamsoft logs and then cross list the times of the spam with the security log without changing hte smtp connector? because my esm froze on me and i didn't complete that step properly. In the security log i see tons and tons of hits every minute - an assortment of users and a lot of SYSTEM as the user, i hope that's not a bad thing. Thanks again for all the trouble shooting hopefully this spam will stop flooding in pretty soon, once i change a few accounts.
Co-Owner
Top Expert 2011
Commented:
It will probably only be one or two accounts. Worst case, block inbound port 25 on your firewall until you have a grip on the problem and then have checked the logs and changed the passwords.  Then restart the SMTP service, open up port 25 again and you should be in control once more.
I'm turning in for the night shortly - nearly 1am for me.  I will be back bright an breezy and about 7:30am.
Anything else you need before I go silent for a few hours?

Author

Commented:
Nope not at all, can't ask anymore - just gonna continue to try to get control of it. Thanks yet again
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Thanks - I'll be here if you need me for anything.
Appreciate the points.
Keep lots of coffee to hand : )