Sending massive amount of spam
Hi all
Today i received a call from one of my customers complaining that he is not able to send emails. His running an exchange 2003 server. As soon as i got there i checked the queues and saw thousands of spam messages waiting to be sent.
I created a dump exchange smtp connector, and deleted more that 60000 of spam messages. I have blocked port 25 on the firewall for all computers in the network, stopped the SMTP service on the exchange, turned off all the computers in the office, installed GFI mail security and essentials for exchange and did a full virus and malware scan on the server using norton, malwarebytes and superantispyware. Both gfi for exchange and the virus and malware scan found nothing on the server.
As soon as i started the SMTP service i could see again in the queues massive amounts of spam trying to get through the dump smtp exchange connector.
I unplugged the server from the client's office and took it with me in my office lab. Its been 2 hours now that i am sending and receiving emails without any sign of spam leaving my server.
Can anybody give me a clue how can i observe the problem at the client's office?
Thanks
Today i received a call from one of my customers complaining that he is not able to send emails. His running an exchange 2003 server. As soon as i got there i checked the queues and saw thousands of spam messages waiting to be sent.
I created a dump exchange smtp connector, and deleted more that 60000 of spam messages. I have blocked port 25 on the firewall for all computers in the network, stopped the SMTP service on the exchange, turned off all the computers in the office, installed GFI mail security and essentials for exchange and did a full virus and malware scan on the server using norton, malwarebytes and superantispyware. Both gfi for exchange and the virus and malware scan found nothing on the server.
As soon as i started the SMTP service i could see again in the queues massive amounts of spam trying to get through the dump smtp exchange connector.
I unplugged the server from the client's office and took it with me in my office lab. Its been 2 hours now that i am sending and receiving emails without any sign of spam leaving my server.
Can anybody give me a clue how can i observe the problem at the client's office?
Thanks
when the smtp queue was filling up could you see what user account was sending it? could be a virus on a client machine. also have you checked your smtp relay settings? Its best practice to not run a open relay mail server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I could see from the logs of GFI mail security that the sender is every second someone with different email address and the originating IP comes from random countries.. As i said before i have switched off all the computers in the network. Only the server was turned on. I have verified that the server is not a mail rely through mxtoolbox and granted access for rely only the exchange server which is the only server in the office. This server has been running for 4 years without any problems.
This problem just started today and drives me crazy.
As i said i have the server with me on a different WAN network with different internet IP Address and there are not problems with the server.I can send and receive emails without problems and without spam filling up the smtp queue.
Could be that someone is attacking the particular internet IP in the clients office? And if yes how can i verify that?
Thanks
This problem just started today and drives me crazy.
As i said i have the server with me on a different WAN network with different internet IP Address and there are not problems with the server.I can send and receive emails without problems and without spam filling up the smtp queue.
Could be that someone is attacking the particular internet IP in the clients office? And if yes how can i verify that?
Thanks
ASKER
alanhardisty
I will try the steps you mention in your article tomorrow morning when i return the exchange server back to the customer's office and let you know. Thanks
I will try the steps you mention in your article tomorrow morning when i return the exchange server back to the customer's office and let you know. Thanks
You are an authenticated relay then! One (or more) of your username / passwords has been compromised and my article will help you find out which account and what to do about it.
I would get onto the server asap as the longer you leave it - the bigger the problem and the more blacklists you will be on!!
ASKER
Well the strange thing is that this problem happens only on the client's network.
I have brought the server with me in my lab office which is a completely different network with different ISP and there are no signs of problems at all.
How can you explain this?
I have brought the server with me in my lab office which is a completely different network with different ISP and there are no signs of problems at all.
How can you explain this?
if the email is coming from outside on the wan, then it would hit the email server while it was in your office, unless you changed your mx records to point to its new ip
would not hit sorry
If you have taken the server with you - the spammer doesn't know the IP address of the server and thus can't login to it to send spam.
This isn't an internal issue or a virus in the LAN, it is a compromised account.
If you don't have many users, change ALL the passwords and then put the server back and the problem will be solved (until they crack a password again).
Please also have a read of my blogs:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
This isn't an internal issue or a virus in the LAN, it is a compromised account.
If you don't have many users, change ALL the passwords and then put the server back and the problem will be solved (until they crack a password again).
Please also have a read of my blogs:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/
http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
ASKER
Well that makes a lot of sense because recently an employee got fired from the company and i remember he was very pissed off.
Thanks for all help, i 'll see what i can do tomorrow
Thanks for all help, i 'll see what i can do tomorrow
It is unlikely to be your ex-employee but you never know.
FYI - I'm on holiday so am only around mornings and evenings. It's 8:30pm for me now (Spanish time).
FYI - I'm on holiday so am only around mornings and evenings. It's 8:30pm for me now (Spanish time).
ASKER
Thanks its 9:45pm now Cyprus time :)
ASKER
Hello again
Today i brought the server back in the office, changed the passwords of all user accounts and turned on JUST the server itself. No computers were turned on. As soon as the server turned off no signs of spam were shown to filling up my smtp queues. As soon as i turned on the computers the problem started again. I turned on each computer individually to see which is causing the problem but to my surprise i noticed that any computer i turn on the problems starts.
When i checked in the logs of GFI mail security i noticed that all emails were been sent from the same domain name. I have configured my exchange 2003 to block this particular domain in the recipient filtering and sender filtering and the problem stopped!
What do you think of this? Any ideas?
Thanks
Today i brought the server back in the office, changed the passwords of all user accounts and turned on JUST the server itself. No computers were turned on. As soon as the server turned off no signs of spam were shown to filling up my smtp queues. As soon as i turned on the computers the problem started again. I turned on each computer individually to see which is causing the problem but to my surprise i noticed that any computer i turn on the problems starts.
When i checked in the logs of GFI mail security i noticed that all emails were been sent from the same domain name. I have configured my exchange 2003 to block this particular domain in the recipient filtering and sender filtering and the problem stopped!
What do you think of this? Any ideas?
Thanks
It sounds like you have a virus that is infecting ALL computers and I would recommend you run something like Malwarebytes on every computer and remove anything it finds.
ASKER
Another important thing is that on the application event log and ms exchange transport i have this message coming every second
"SMTP Authentication was performed successfully with client "wkimw36". The authentication method was "LOGIN" and the username was "DOMAIN\Guest".
Does this mean the guest account is compromised?
As soon as i disabled the account a log came like the one below and the above logs stopped coming.
An internal EXPS function failed while communicating with "unknown". "CExchAuthContext::HrServe
"SMTP Authentication was performed successfully with client "wkimw36". The authentication method was "LOGIN" and the username was "DOMAIN\Guest".
Does this mean the guest account is compromised?
As soon as i disabled the account a log came like the one below and the above logs stopped coming.
An internal EXPS function failed while communicating with "unknown". "CExchAuthContext::HrServe
That does tend to suggest that your guest account is the one being abused. Any reason why it is enabled? It is not a good idea to have it active and most servers have it disabled.
Still scan each and every computer.
Use wireshark http://www.wireshark.org/d
Problem is - it sounds like they all are infected!
ASKER
Well after i disabled the GUEST account (on whom i don't know who enabled this account) everything came back to normal.
Could it be that a virus can enable the guest account?
Anyway i will perform a full malwarebytes scan on all pcs but at least we found what the problem was thanks to you alanhardisty: so you have all my points
Thanks for all help
Could it be that a virus can enable the guest account?
Anyway i will perform a full malwarebytes scan on all pcs but at least we found what the problem was thanks to you alanhardisty: so you have all my points
Thanks for all help
Viruses can do all manner of things, but I would imagine that the account was enabled for another reason.
Glad things are looking happier now.
Alan
Glad things are looking happier now.
Alan