Solved

Sending massive amount of spam

Posted on 2011-02-21
22
1,309 Views
Last Modified: 2012-05-11
Hi all

Today i received a call from one of my customers complaining that he is not able to send emails. His running an exchange 2003 server. As soon as i got there i checked the queues and saw thousands of spam messages waiting to be sent.
I created a dump exchange smtp connector, and deleted more that 60000 of spam messages. I have blocked port 25 on the firewall for all computers in the network, stopped the SMTP service on the exchange, turned off all the computers in the office, installed GFI mail security and essentials for exchange and did a full virus and malware scan on the server using norton, malwarebytes and superantispyware. Both gfi for exchange and the virus and malware scan found nothing on the server.

As soon as  i started the SMTP service i could see again in the queues massive amounts of spam trying to get through the dump smtp exchange connector.

I unplugged the server from the client's office and took it with me in my office lab. Its been 2 hours now that i am sending and receiving emails without any sign of spam leaving my server.

Can anybody give me a clue how can i observe the problem at the client's office?

Thanks
0
Comment
Question by:giorgosy78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
  • 3
  • +1
22 Comments
 
LVL 2

Expert Comment

by:squirrelnuttz
ID: 34944518
when the smtp queue was filling up could you see what user account was sending it? could be a virus on a client machine. also have you checked your smtp relay settings? Its best practice to not run a open relay mail server.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34944611
0
 

Author Comment

by:giorgosy78
ID: 34944655
I could see from the logs of GFI mail security that the sender is every second someone with different email address and the originating IP comes from random countries.. As i said before i have switched off all the computers in the network. Only the server was turned on. I have verified that the server is not a mail rely through mxtoolbox and granted access for rely only the exchange server which is the only server in the office. This server has been running for 4 years without any problems.

This problem just started today and drives me crazy.
As i said i have the server with me on a different WAN network with different internet IP Address and there are not problems with the server.I can send and receive emails without problems and without spam filling up the smtp queue.

Could be that someone is attacking the particular internet IP in the clients office? And if yes how can i verify that?

Thanks

0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:giorgosy78
ID: 34944760
alanhardisty

I will try the steps you mention in your article tomorrow morning when i return the exchange server back to the customer's office and let you know. Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34944766
You are an authenticated relay then!  One (or more) of your username / passwords has been compromised and my article will help you find out which account and what to do about it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34944782
I would get onto the server asap as the longer you leave it - the bigger the problem and the more blacklists you will be on!!
0
 

Author Comment

by:giorgosy78
ID: 34944868
Well the strange thing is that this problem happens only on the client's network.

I have brought the server with me in my lab office which is a completely different network with different ISP and there are no signs of problems at all.

How can you explain this?
0
 
LVL 2

Expert Comment

by:squirrelnuttz
ID: 34944957
if the email is coming from outside on the wan, then it would hit the email server while it was in your office, unless you changed your mx records to point to its new ip
0
 
LVL 2

Expert Comment

by:squirrelnuttz
ID: 34944963
would not hit sorry
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34945052
If you have taken the server with you - the spammer doesn't know the IP address of the server and thus can't login to it to send spam.

This isn't an internal issue or a virus in the LAN, it is a compromised account.

If you don't have many users, change ALL the passwords and then put the server back and the problem will be solved (until they crack a password again).

Please also have a read of my blogs:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:giorgosy78
ID: 34945776
Well that makes a lot of sense because recently an employee got fired from the company and i remember he was very pissed off.

Thanks for all help, i 'll see what i can do tomorrow
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34945796
It is unlikely to be your ex-employee but you never know.

FYI - I'm on holiday so am only around mornings and evenings.  It's 8:30pm for me now (Spanish time).
0
 

Author Comment

by:giorgosy78
ID: 34945870
Thanks its 9:45pm now Cyprus time :)
0
 

Author Comment

by:giorgosy78
ID: 34949356
Hello again

Today i brought the server back in the office, changed the passwords of all user accounts and turned on JUST the server itself. No computers were turned on. As soon as the server turned off no signs of spam were shown to filling up my smtp queues. As soon as i turned on the computers the problem started again. I turned on each computer individually to see which is causing the problem but to my surprise i noticed that any computer i turn on the problems starts.

When i checked in the logs of GFI mail security i noticed that all emails were been sent from the same domain name. I have configured my exchange 2003 to block this particular domain in the recipient filtering and sender filtering and the problem stopped!

What do you think of this? Any ideas?

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34949381
It sounds like you have a virus that is infecting ALL computers and I would recommend you run something like Malwarebytes on every computer and remove anything it finds.
0
 

Author Comment

by:giorgosy78
ID: 34949406
Another important thing is that on the application event log and ms exchange transport i have this message coming every second

"SMTP Authentication was performed successfully with client "wkimw36".  The authentication method was "LOGIN" and the username was "DOMAIN\Guest".

Does this mean the guest account is compromised?

As soon as i disabled the account a log came like the one below and the above logs stopped coming.

An internal EXPS function failed while communicating with "unknown".  "CExchAuthContext::HrServerNegotiateClearTextAuth" called "HrCheckClearTextLogin" which failed with error code 0x8007052e ( f:\titanium\transmt\src\smtpsink\exps\expslib\authctx.cpp@803 ).

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34949424
That does tend to suggest that your guest account is the one being abused.  Any reason why it is enabled?  It is not a good idea to have it active and most servers have it disabled.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34949428
Still scan each and every computer.
0
 
LVL 5

Expert Comment

by:skrga
ID: 34949460
Use wireshark http://www.wireshark.org/download.html. Install it on server and monitor network traffic, you can put IMF (internet message format) in filter so it will display only e-mails going trough network, then you should not have problem identifying pc that is sending spam. - that is how i resolved same problem you have at my work.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34949462
Problem is - it sounds like they all are infected!
0
 

Author Comment

by:giorgosy78
ID: 34949572
Well after i disabled the GUEST account (on whom i don't know who enabled this account) everything came back to normal.

Could it be that a virus can enable the guest account?

Anyway i will perform a full malwarebytes scan on all pcs but at least we found what the problem was thanks to you alanhardisty: so you have all my points

Thanks for all help
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34949582
Viruses can do all manner of things, but I would imagine that the account was enabled for another reason.

Glad things are looking happier now.

Alan
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question