Solved

Exchange 2003, Backup, Logs, SPAM

Posted on 2011-02-18
16
325 Views
Last Modified: 2012-05-11
I have a VM of SBS2003 server whose hard drive is filling up very quickly.  I have added more HD space and looked around.

The Exchange logs are not being flushed out.  That's because there hadn't been a backup in some time.  So I did that last night and the logs didn't clear.

I noticed that this morning some more space was eaten up and I started refreshing -- the log was filling up FAST.

So I looked at the Exchange queues and to my horror, there it was SPAM.  Now, I locked down that server before and we hadn't had a problem for about 3 years.

The server is going to run out of space and go down again if I can't clear up space.

What do I do?  It's these logs for sure -- I have several multi-gb sized files.  Try to rerun the backup?  Delete old files?  How do I quickly stop the SPAM?


Please assist.  Thank you.

0
Comment
Question by:svillardi
  • 9
  • 6
16 Comments
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34926063
first things first make sure that the retention periods are lowered so that the mail is dropped in an hour rather than 3 days. This is set on the smtp virtual server.

In the que try to identify where this is orignating from, pc, user etc. Then give the system a full av , malware scan.

I would guess that the mail is being sent out as postmaster @ yourdomain.com. Enable sender filtering and stop postmaster from being able to send email out.

Take it from there, hopefully someone else will be able to assist also.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34927322
0
 

Author Comment

by:svillardi
ID: 34929142
OK, I see a whole bunch of virtual SMTP domains, but their all empty.  No messages.  How do I delete them and what can I do at this point?  My log is at 6gb for a small office, but looks like it's stabilized this afternoon, because the log really isn't growing.  Now, I'm on a bunch of blacklists.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34929381
If you are blacklisted - please read my article that I posted in the comment above and also check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org and see why you are listed.
0
 

Author Comment

by:svillardi
ID: 34930507
OK, all the extra virtual SMTP domains are gone.  I didn't do anything except shorten the expiring time.  I am also seeing that the log file is only slightly changed since this afternoon.  Therefore, I think the outgoing SPAM attack has stopped.

Several thoughts and questions:

Our ISP reported a couple of people forwarded emails that our server sent out.  Today's report listed our server as the sender, but also listed a quarantined virus.  My Symantec Endpoint is up to date and found a couple of things (trojan-spy.html.fraud.gen) in our (inbound) SPAM folder.  I have deleted everything in that folder as a precaution.  The ISP said that one report said that we were doing a phishing request.  Does any of this info help to determine what is actually causing the SPAM or it's orgination?  I can't see how EML files which a user never saw could activate a virus.

I have  almost 20gb of logs in my sbs2003.log folder.  I did an Exchange backup last night.  Can't I delete these old files?  What should I do?

Recipient filtering was already turned on.  I enabled maximum authentication logging, but nothing yet is showing up in my Event Viewer.

Thanks again!
0
 

Author Comment

by:svillardi
ID: 34931356
Please respond to my last post if possible.
0
 

Author Comment

by:svillardi
ID: 34931387
More info:  The logs I am talking about are in c:\program files\exchsrvr\sbs2003.log folder, which is shared.  Circular logging is enabled on the Storage Group.  That setting is in c:\program files\exchsrvr\mdbdata.  There's hardly any space taken up at this location.

Thanks again.
0
 

Author Comment

by:svillardi
ID: 34931576
Still investigating:  The sbs2003.log files are message tracking files.  By doing a search, using the message tracker tool, I can see a bunch of different senders, including the postmaster@mydomain.com and other outside addresses, such as accounts@paypal.com.

Is there a way to track what virus, either on my server or on another client may be causing this?

Thank you again for the assistance.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34932356
If the senders are Postmaster - that suggests Recipient filtering isn't working or you use a 3rd party for anti-spam filtering and they are not Recipient Filtering.

If the senders are paypal.com then you could either have a local infection or have an authenticated relay going on.

I would change ALL passwords for ALL users as a precaution and restart the SMTP service.

Scan all your computers with something like malwarebytes (www.malwarebytes.org) and remove anything that is found.

A clean anti-virus scan doesn't mean you don't have anything!!

FYI - I am currently on holiday so replies won't be coming back as fast as usual!
0
 

Author Comment

by:svillardi
ID: 34942234
The problem seemed to stop over the weekend, but now it's back.  I do not know what to do.
0
 

Author Comment

by:svillardi
ID: 34942245
I cleaned everyone in the office with malwarebytes.  I ran virus scans.  We were fine over the weekend.  Postmaster@mycompany and paypal emails keep going out.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34942743
Have you read my article yet and increased the logging?
0
 

Author Comment

by:svillardi
ID: 34944856
Yes, and I came up GOLDEN!!  Thank you!

Now for the details:

The account is actually a service account used to allow printers to scan to the file server.  How is it possible that this was hacked?  Users do not generally know the username and password to set this up, but all of our scanners user the same domain acct.

Please explain.

I have temporarily disabled the account.  I will change the password on it and re-enable.  Then will have to change all the printer settings.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34945096
0
 

Author Comment

by:svillardi
ID: 34994292
I do not understand how a brute force attack occurs.  Your article goes into how to stop the spam once it occurs, but how does it attack the firewall and get to the Exchange server?  

I'm just about ready to close this one up, and I thank you for your assistance!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34995768
A brute force attack is a user controlling a computer (usually not their own) that has a program on it that is told to try numerous username and password combinations until it finally gets one that fits.  If you have a weak password (one that can be found in a dictionary), then it won't take long to discover a password, plus if the password is a short one, then it also won't take long to crack either.

The stronger and longer your passwords, the less easy they will be to guess by a brute force attack and if you have account lockouts after a few invalid login attempts, then that will also slow down a would-be hacker.

The attack won't attack your firewall - it will find an open port, such as port 25 (SMTP) and then try using an email program (or a program such as telnet) to send millions of login attempts to your server.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now