Solved

IIS SMTP server queue filling up and allowing rogue or unauthorized connections

Posted on 2010-09-13
16
897 Views
Last Modified: 2012-05-10
My overall configuration is this: 2 Windows Server 2003 systems.  Server #1 runs Exchange 2003 which receives mail for the entire domain and also sends mail for users in the office who connect to the server with Outlook in Exchange mode.  Server #2 is just Server 2003 with SMTP installed in IIS.  This server is for sending only, it is used by field workers who connect via Outlook with POP3 (to server #1) and SMTP to server #2.  

On server #2 the SMTP settings are as follows: On the Access tab of the SMTP server Properties under Authentication the server is setup to require basic authentication.  Under Relay it is set to relay for 'Only the list below' (the list is blank) and then it is set to 'Allow all computers which successfully authenticate to relay, regardless of the list above.'

A barracuda protects all incoming mail.

The server has been setup this way for a LONG time.  In the last month I have been having problems with the smtp queue folder filling up, I currently have 60,000 emails in the queue.  I can see connections under 'Current Sessions' in IIS from IPs in China, Nigeria, Russia and a few others.  All of the connections show in the following format:
User            117.135.138.153         34 seconds

I don't have a user called 'User.'  Usually with legit connection, the user portion is either the user's actual computer name or the local IP they are using.

Any ideas how to make this stop?  I forced all of the field users to change their passwords and that seemed to work for a day and half or so.  I only forced the field users because the only server with issues was #2 which only serves the field workers.  My thought is that a user's computer is infected with something that is stealing the password so the password change only worked for a short while.  I have encouraged them all to scan their computers but I have no direct control to force that to happen.

I have used various tools on the Internet to check my system for an open relay or other issue but everything seems to be OK.  At one point I assumed that this was an NDR attack because most outgoing messages were from postmaster@ourdomain.com.  But now the queue has emails from external domains to other external domains.  Our domain is not part of the process at all!
0
Comment
Question by:itsystemsllc
  • 8
  • 5
  • 3
16 Comments
 
LVL 5

Expert Comment

by:jhill777
ID: 33665533
Looks like a proxy server for anonymity.
I would change ports from 25 to something else by setting up  two virtual servers: one with relaying disabled on port 25 for standard traffic, and another with authentication-based relaying turned on on a non-standard port number.
0
 

Author Comment

by:itsystemsllc
ID: 33665603
I do have ports 25 and 587 enabled on this SMTP server.  I did that because the out of office users were running into issues with SBC, Comcast etc... blocking port 25 traffic for their residential customers.  We offer port 587 as an alternate.  I don't know for sure which port is being used for this spam activity.  Are you suggesting I disable 25 and only use 587?

Please explain your suggestion a little more.  Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33665614
It sounds like you have an authenticated relay problem going on.
One of your user accounts and passwords has been compromised.
Depending on the number of users, you may want to force a password change for all accounts, restart the SMTP Service and then the problem should calm down.
You will need to empty the queues and then get yourself of the blacklists that you will inevitably be on (www.mxtoolbox.com/blacklists.aspx).
0
 

Author Comment

by:itsystemsllc
ID: 33665639
alan,
I did force a password change and the problem stopped briefly.  But it is back again so I think that the new password or passwords were stolen again.  Not sure how to stop that from happening!  It must be a malware or virus on someone's computer but these are personal computers that I have no control over!
0
 
LVL 5

Accepted Solution

by:
jhill777 earned 500 total points
ID: 33665677
Yeah, I would disable 25 completely.  Your remote clients can configure their mail clients to use the non-standard port.  This should stop spammers who scan for open relays.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33665736
Did you restart the SMTP Service?  If not - then please stop the SMTP service, then reset the passwords again and then restart the SMTP service.
If that doesn't resolve it - then there are nastier issues afoot!
0
 

Author Comment

by:itsystemsllc
ID: 33665752
Sounds good, i actually can see that the rouge connections are all using port 25 from firewall logs.  So the real question is why is is this happening.  It seems to me that I have all the checks in place to keep myself from being an open relay.  At some point I would imagine this happening again even with 587 if my settings are allowing open relay.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33665805
You can check to see if you are an open relay on this site:
http://www.checkor.com/
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:itsystemsllc
ID: 33665916
I think I passed all the tests from checkor.com.  All of them said 'client was not authenticated.'  I have also checked multiple times from mxtoolbox.com as well and they say i am not an open relay either.  If I am not an open relay, and I don't think I am, I don't understand how this is happening.  The outgoing server is smtp.misda.org if any of you want to test for giggles.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33666064
Are you logging inbound SMTP access on your firewall?
You may see a lot of logs from a particular IP that you could block until you get a handle on the problem.
0
 

Author Comment

by:itsystemsllc
ID: 33666511
Yes, i am logging.  I have looked up a ton of IPs and found them to be from China, Nigeria, Russia, Poland and more.  I used http://tools.whois.net/whoisbyip/ to lookup the IP's.  The nice thing about that site is that it gives  you the whole network range (so you don't have to calculate it yourself!) and then I can make a block rule for that whole range.  I have a sonicwall firewall attached to my DSL but that is so cumbersome. To help troubleshoot this issue I installed an Untangle firewall in bridge mode between the sonicwall and the LAN.  This has given me much better information and control!

I will be implementing the port 25 block and I will post back later, tomorrow or Wednesday with results.

Thanks.
0
 

Author Comment

by:itsystemsllc
ID: 33667960
Does anyone have any tips or software that can help me identify what account is being used to authenticate on my smtp server?  Windows smtp logging doesn't show me that information.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33667973
Download the 30-day trial of Vamsoft ORF - http://www.vamsoft.comIt has excellent logging capabilites (not to mention anti-spam capabilities) and you can use the logs to see when the sender is from the spammer and then cross reference that to the Security Event Log and that should pinpoint an account.
I'm heading to bed in a short while but can assist with Vamsoft logs / filtering if need be.

0
 
LVL 5

Expert Comment

by:jhill777
ID: 33674012
Did you check this too?
In Exchange System Manager (ESM), right-click the SMTP connector, and then click Properties.
Click the Address Space tab, and then click to clear the Allow messages to be relayed to these Domains check box.
Click OK, and then restart the SMTP service
0
 

Author Comment

by:itsystemsllc
ID: 33674267
The problem SMTP server is not the Exchange SMTP server, just the basic IIS SMTP so I am not sure that your suggestion would help, correct me if I am wrong.

Also, the closure of port 25 seems to have stopped my bleeding.  I turned it off and then cleaned out the queue (70,000 messages) last night.  This morning there are no new messages filling up the queue folder.  Thank you to Jhill777 for that suggestion!
0
 

Author Closing Comment

by:itsystemsllc
ID: 33728959
Although I was never able to identify the compromised account, I did stop the spam traffic by closing the port as suggested.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Have you ever had a hard drive that you can't boot into, but need to change the registry? Here is the solution! This article guides you through accessing and editing a registry of a non-primary drive. To read registry information on a non-prim…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now