DotFoil
asked on
help! my exchange server keeps getting hacked
i have an exchange server that keeps getting blacklisted. everytime i think it is clean, a few weeks go by and i get blacklisted again. i can see (with wireshark) emails going out on SMTP connections that some virus or someone else is initiating, but i cant seem to get rid of it.
i know this seems basic, but how do i verify that ONLY my authenticated users (about 10) can send out and NO OTHER USER can send out of my exchange server?
i know this seems basic, but how do i verify that ONLY my authenticated users (about 10) can send out and NO OTHER USER can send out of my exchange server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The usual problem that I have seen time and time again is that you have probably been the victim of an Authenticated Relay, which essentially means someine has used a brute force password crack on your server and is sending out emails via your server using one of your user accounts with a password.
How many users do you have on your server? It might be simpler to just change ALL the passwords for ALL the users
Do you have Anti-Spam software on the server? If not, I would recommend installing Vamsoft ORF which you can trial for 30 days and this will help you identify which account has been abused.
Please advise which Exchange Version you have.
How many users do you have on your server? It might be simpler to just change ALL the passwords for ALL the users
Do you have Anti-Spam software on the server? If not, I would recommend installing Vamsoft ORF which you can trial for 30 days and this will help you identify which account has been abused.
Please advise which Exchange Version you have.
Do you have blocked port 25 in outgoing direction on your firewall for all internal IPs except your exchange server? In don't it could be that some other PC is infected with malware.
ASKER
Version is Exchange 2003; I am using NOD32 with Exchange monitor, but i KNOW we have gotten viruses on the server. I used wireshark to see the spam, and i could see it just going out and out - uit stopped when i removed the virus, but maybe it was on another workstation as well.
All was fine for weeks, then it cropped up again.
I also had everyone change passwords the first time it happened, but that did not affect the spamming, so i dont think that was the cause.
All was fine for weeks, then it cropped up again.
I also had everyone change passwords the first time it happened, but that did not affect the spamming, so i dont think that was the cause.
ASKER
thanks FDiskWizard: for the articles. since i only have a couple users i decided to grant ONLY them access the SMTP virtual server. i saw a beautiful thing in wireshark:
client does not have permission to submit mail to this server.
So this will buy me some time, but we are still under constamt attack. is this a virus inside? is it an external attack? how can i tell? I have scanned and scanned and cant seem to say definitively "ive got it"
client does not have permission to submit mail to this server.
So this will buy me some time, but we are still under constamt attack. is this a virus inside? is it an external attack? how can i tell? I have scanned and scanned and cant seem to say definitively "ive got it"
ASKER
ok, here is the last question and then ill award points:
wireshark is now telling me that granting exclusive access to my users to send (by adding mary, paul, stephen etc) i am successful denying all the smtp requests that have been bombarding my server. My question is, can i tell from the wireshark capture where these attacks are coming from ?
Every request has different email addresses and IPs associated with it, but has the same MAC address listed:Source: TelogyNe_66:51:eb (00:e0:a6:66:51:eb)
I assumed i would find this MAC address in my network, but it is not one of mine. Does that mean this attack is coming from outside, and if so, can i stop it?
wireshark is now telling me that granting exclusive access to my users to send (by adding mary, paul, stephen etc) i am successful denying all the smtp requests that have been bombarding my server. My question is, can i tell from the wireshark capture where these attacks are coming from ?
Every request has different email addresses and IPs associated with it, but has the same MAC address listed:Source: TelogyNe_66:51:eb (00:e0:a6:66:51:eb)
I assumed i would find this MAC address in my network, but it is not one of mine. Does that mean this attack is coming from outside, and if so, can i stop it?
Goord to hear you could secure the box.
wireshark only captures the data, he does not 'know' your network.
Yes, I also think the MAC is from inside, maybe a PC with a virus? If the mac is from outside you would get the MAC from your router in your ethernet-frame. To make sure you can do a monitoring on you rrouter just to see if the frames will bypass the router?
To troubleshoot you can examine the ARP tables from your routers / switches (if they are managed) to search for that AMC address.
As you can see here "http://www.coffer.com/mac_find/?string=00:e0:a6:66:51:eb" the MAC address is from a company called Telogy Networks (as also stated in the source name). They make VOIP products. Do you have any VOIP in your network?
To maker sure: Your users do need straight SMTP access? They do not use Outlook in Exchange mode?
I would not set access to the SMTP service at user level, you always have a chance of brute password hacking from outside. Give those users an static IP address en only allow those IP addresses to relay.
wireshark only captures the data, he does not 'know' your network.
Yes, I also think the MAC is from inside, maybe a PC with a virus? If the mac is from outside you would get the MAC from your router in your ethernet-frame. To make sure you can do a monitoring on you rrouter just to see if the frames will bypass the router?
To troubleshoot you can examine the ARP tables from your routers / switches (if they are managed) to search for that AMC address.
As you can see here "http://www.coffer.com/mac_find/?string=00:e0:a6:66:51:eb" the MAC address is from a company called Telogy Networks (as also stated in the source name). They make VOIP products. Do you have any VOIP in your network?
To maker sure: Your users do need straight SMTP access? They do not use Outlook in Exchange mode?
I would not set access to the SMTP service at user level, you always have a chance of brute password hacking from outside. Give those users an static IP address en only allow those IP addresses to relay.
If you enable SMTP logging you should be able to see in the SMTP logs where the error originate from...
ASKER
ptholen: actually, we are using exchange for the time being, does that mean i do not need to have smtp turned on? I thought even exchange used smtp for outgoing mail. is there a way to turn it off?
Also, how could a VOIP product be sending spams? I checked all the workstations and this did not match any of our NICs - very odd. Also, while the MAC address stays the same, the external IP of the intrusion keeps changing, but they are all POSTINI wan ips, which we use for spam control (ha!).
I guess if i can find out how to turn off smtp i can solve all of these problems at once. thoughts?
Also, how could a VOIP product be sending spams? I checked all the workstations and this did not match any of our NICs - very odd. Also, while the MAC address stays the same, the external IP of the intrusion keeps changing, but they are all POSTINI wan ips, which we use for spam control (ha!).
I guess if i can find out how to turn off smtp i can solve all of these problems at once. thoughts?
re: Mac addresses.
Remember that MAC addresses are layer 2. Once a packet is routed, the originating MAC address is changed to the last level 3 device. If the MAC address truly belongs to Telogy Networks, it is irrelevant unless there is a layer 2 connection to that company.
The MAC address is probably spoofed. If this traffic is fairly constant, I recommend unplugging each workstation - one at a time - and see if the traffic stops (doing it at the switch is usually convenient). If it stops, you have your culprit machine.
If there is no change in the traffic, try blocking that IP at your firewall. Test for incoming email (use an outside webmail account and email to yourself on the inside) and see if the traffic stops / changes. Also check the MAC address of your firewall - It might match the address listed on the bad traffic.??
I would also call your POSTINI people as they could have someone using their system to relay these email to you.
There are a few things to check - might give us some more clues. Let us know what happens.
:-)
Remember that MAC addresses are layer 2. Once a packet is routed, the originating MAC address is changed to the last level 3 device. If the MAC address truly belongs to Telogy Networks, it is irrelevant unless there is a layer 2 connection to that company.
The MAC address is probably spoofed. If this traffic is fairly constant, I recommend unplugging each workstation - one at a time - and see if the traffic stops (doing it at the switch is usually convenient). If it stops, you have your culprit machine.
If there is no change in the traffic, try blocking that IP at your firewall. Test for incoming email (use an outside webmail account and email to yourself on the inside) and see if the traffic stops / changes. Also check the MAC address of your firewall - It might match the address listed on the bad traffic.??
I would also call your POSTINI people as they could have someone using their system to relay these email to you.
There are a few things to check - might give us some more clues. Let us know what happens.
:-)
P.S. - I don't mean that POSTINI would be doing this intentionally, but everybody is susceptible to attack from time to time.
@Dotfoil: You need SMTP on your server because Exchange uses SMTP to talk with the outside. But normal OUTLOOK users ( with an Exchange profile) don't use SMTP, they use MAPI.
You only need SMTP access for users or computers that needs to send mail directly and don't uses Outlook.
Again,. this is the best solution for stopping spam. Only allow SMTP relaying for known (internal) IP addresses. Of course if your IP is spoofed or a trusted IP has an virus the problem still exist but then you have narrowed the list to a few possible IP addresses.
What I recommend is (if possible) to remove RELAY access (on your SMTP connector/server) for all users and computers. test if Outlook users still can send and receive e-mail. You can see, they do.
Don't remove smtp ACCESS rights, SMTP access is needed for all external SMTP Servers who wants to send you mail. You only do need to remove the users and computers smtp RELAY rights.
I assume you don't have an SMTP gateway / smarthost that you trust? Because if you do, the problem can resides on the trusted SMTP gateway.
Patrick
You only need SMTP access for users or computers that needs to send mail directly and don't uses Outlook.
Again,. this is the best solution for stopping spam. Only allow SMTP relaying for known (internal) IP addresses. Of course if your IP is spoofed or a trusted IP has an virus the problem still exist but then you have narrowed the list to a few possible IP addresses.
What I recommend is (if possible) to remove RELAY access (on your SMTP connector/server) for all users and computers. test if Outlook users still can send and receive e-mail. You can see, they do.
Don't remove smtp ACCESS rights, SMTP access is needed for all external SMTP Servers who wants to send you mail. You only do need to remove the users and computers smtp RELAY rights.
I assume you don't have an SMTP gateway / smarthost that you trust? Because if you do, the problem can resides on the trusted SMTP gateway.
Patrick
ASKER
Thanks for the help
make sure only internal addresses are allowed to send smtp mail (relaying). Please note that outlook users (echange profile) don't use SMTP, they use MAPI. In this case you even do'nt need the internal subnet to allow relay.
For best security disable 'allow all users that successfully authenticate to send mail' (or something like that).If an hacker knows a username and password he still can send spam to and from your server. If only users on the internal network must send e-mails i would disable that.