Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2003 relay lockdown

Posted on 2010-08-30
5
Medium Priority
?
449 Views
Last Modified: 2012-08-13
Hello all,

I've been getting authenticated relay attacks on my exchange 2003 server.  It's a single server setup, which, I know, is not ideal, but it's what fits in the budget.  I know the basics of all of the settings for relaying but I have a few questions regarding it.  

1.  I know that I have to leave the checkbox checked that says allow all authenticated computers to relay.  If I don't, nobody will be able to send mail.  This network only has about 15 users.  Should I name each IP address and specify that only those computers can relay?   How will this affect OWA and Outlook anywhere users?

2.  In Event Viewer, under security, what exact logon types am I looking for to see which user's account was comprimised?  

3.  Are there any other settings that I can lock down to help?
0
Comment
Question by:Sean Rhudy
5 Comments
 
LVL 13

Expert Comment

by:IT-Monkey-Dave
ID: 33563353
With so few users, maybe you can force everyone to change their password?  Just an idea.  If someone's credentials are compromised, that's potentially more serious than just email relaying.
Just sayin'.
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33563374
do you use an internal private ip scheme? (10.x or 192.168.x)
if you do, you can update the settings to allow an ip range of your internal systems
0
 

Author Comment

by:Sean Rhudy
ID: 33563477
everyone already changed their password, but is there anything else I should check?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33563773
You mentioned that you are facing authenticated relay attacks.
How did you arrive at this conclusion ? (just want to make sure that diagnosis is correct)

did you check exchange message tracking logs and track the number of messages sent using logparser ?
http://msexchangeteam.com/archive/2007/09/12/446982.aspx
http://www.msexchange.org/tutorials/Using-Logparser-Utility-Analyze-ExchangeIIS-Logs.html

Lets try to define what are we looking for ?
a) We are looking for a client IP / netbios name which is sending boat-load of spam.
b) It maybe one/more than one username.

What you can do ?
a) See the guide here on auth relay attacks.
http://www.vamsoft.com/authattack.asp

You can also download a trial version of VamSoft ORF which natively logs the compromised user.
http://www.vamsoft.com/

0
 
LVL 17

Accepted Solution

by:
aoakeley earned 500 total points
ID: 33565718
Why do you have to "I know that I have to leave the checkbox checked that says allow all authenticated computers to relay.  If I don't, nobody will be able to send mail."

If users are using Outlook in "Exchange Mode" not "POP/SMTP" you can untick this.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question