Sean Rhudy
asked on
Exchange 2003 relay lockdown
Hello all,
I've been getting authenticated relay attacks on my exchange 2003 server. It's a single server setup, which, I know, is not ideal, but it's what fits in the budget. I know the basics of all of the settings for relaying but I have a few questions regarding it.
1. I know that I have to leave the checkbox checked that says allow all authenticated computers to relay. If I don't, nobody will be able to send mail. This network only has about 15 users. Should I name each IP address and specify that only those computers can relay? How will this affect OWA and Outlook anywhere users?
2. In Event Viewer, under security, what exact logon types am I looking for to see which user's account was comprimised?
3. Are there any other settings that I can lock down to help?
I've been getting authenticated relay attacks on my exchange 2003 server. It's a single server setup, which, I know, is not ideal, but it's what fits in the budget. I know the basics of all of the settings for relaying but I have a few questions regarding it.
1. I know that I have to leave the checkbox checked that says allow all authenticated computers to relay. If I don't, nobody will be able to send mail. This network only has about 15 users. Should I name each IP address and specify that only those computers can relay? How will this affect OWA and Outlook anywhere users?
2. In Event Viewer, under security, what exact logon types am I looking for to see which user's account was comprimised?
3. Are there any other settings that I can lock down to help?
do you use an internal private ip scheme? (10.x or 192.168.x)
if you do, you can update the settings to allow an ip range of your internal systems
if you do, you can update the settings to allow an ip range of your internal systems
ASKER
everyone already changed their password, but is there anything else I should check?
You mentioned that you are facing authenticated relay attacks.
How did you arrive at this conclusion ? (just want to make sure that diagnosis is correct)
did you check exchange message tracking logs and track the number of messages sent using logparser ?
http://msexchangeteam.com/archive/2007/09/12/446982.aspx
http://www.msexchange.org/tutorials/Using-Logparser-Utility-Analyze-ExchangeIIS-Logs.html
Lets try to define what are we looking for ?
a) We are looking for a client IP / netbios name which is sending boat-load of spam.
b) It maybe one/more than one username.
What you can do ?
a) See the guide here on auth relay attacks.
http://www.vamsoft.com/authattack.asp
You can also download a trial version of VamSoft ORF which natively logs the compromised user.
http://www.vamsoft.com/
How did you arrive at this conclusion ? (just want to make sure that diagnosis is correct)
did you check exchange message tracking logs and track the number of messages sent using logparser ?
http://msexchangeteam.com/archive/2007/09/12/446982.aspx
http://www.msexchange.org/tutorials/Using-Logparser-Utility-Analyze-ExchangeIIS-Logs.html
Lets try to define what are we looking for ?
a) We are looking for a client IP / netbios name which is sending boat-load of spam.
b) It maybe one/more than one username.
What you can do ?
a) See the guide here on auth relay attacks.
http://www.vamsoft.com/authattack.asp
You can also download a trial version of VamSoft ORF which natively logs the compromised user.
http://www.vamsoft.com/
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just sayin'.