[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1315
  • Last Modified:

Sending massive amount of spam

Hi all

Today i received a call from one of my customers complaining that he is not able to send emails. His running an exchange 2003 server. As soon as i got there i checked the queues and saw thousands of spam messages waiting to be sent.
I created a dump exchange smtp connector, and deleted more that 60000 of spam messages. I have blocked port 25 on the firewall for all computers in the network, stopped the SMTP service on the exchange, turned off all the computers in the office, installed GFI mail security and essentials for exchange and did a full virus and malware scan on the server using norton, malwarebytes and superantispyware. Both gfi for exchange and the virus and malware scan found nothing on the server.

As soon as  i started the SMTP service i could see again in the queues massive amounts of spam trying to get through the dump smtp exchange connector.

I unplugged the server from the client's office and took it with me in my office lab. Its been 2 hours now that i am sending and receiving emails without any sign of spam leaving my server.

Can anybody give me a clue how can i observe the problem at the client's office?

Thanks
0
giorgosy78
Asked:
giorgosy78
  • 10
  • 8
  • 3
  • +1
1 Solution
 
squirrelnuttzCommented:
when the smtp queue was filling up could you see what user account was sending it? could be a virus on a client machine. also have you checked your smtp relay settings? Its best practice to not run a open relay mail server.
0
 
giorgosy78Author Commented:
I could see from the logs of GFI mail security that the sender is every second someone with different email address and the originating IP comes from random countries.. As i said before i have switched off all the computers in the network. Only the server was turned on. I have verified that the server is not a mail rely through mxtoolbox and granted access for rely only the exchange server which is the only server in the office. This server has been running for 4 years without any problems.

This problem just started today and drives me crazy.
As i said i have the server with me on a different WAN network with different internet IP Address and there are not problems with the server.I can send and receive emails without problems and without spam filling up the smtp queue.

Could be that someone is attacking the particular internet IP in the clients office? And if yes how can i verify that?

Thanks

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
giorgosy78Author Commented:
alanhardisty

I will try the steps you mention in your article tomorrow morning when i return the exchange server back to the customer's office and let you know. Thanks
0
 
Alan HardistyCommented:
You are an authenticated relay then!  One (or more) of your username / passwords has been compromised and my article will help you find out which account and what to do about it.
0
 
Alan HardistyCommented:
I would get onto the server asap as the longer you leave it - the bigger the problem and the more blacklists you will be on!!
0
 
giorgosy78Author Commented:
Well the strange thing is that this problem happens only on the client's network.

I have brought the server with me in my lab office which is a completely different network with different ISP and there are no signs of problems at all.

How can you explain this?
0
 
squirrelnuttzCommented:
if the email is coming from outside on the wan, then it would hit the email server while it was in your office, unless you changed your mx records to point to its new ip
0
 
squirrelnuttzCommented:
would not hit sorry
0
 
Alan HardistyCommented:
If you have taken the server with you - the spammer doesn't know the IP address of the server and thus can't login to it to send spam.

This isn't an internal issue or a virus in the LAN, it is a compromised account.

If you don't have many users, change ALL the passwords and then put the server back and the problem will be solved (until they crack a password again).

Please also have a read of my blogs:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
giorgosy78Author Commented:
Well that makes a lot of sense because recently an employee got fired from the company and i remember he was very pissed off.

Thanks for all help, i 'll see what i can do tomorrow
0
 
Alan HardistyCommented:
It is unlikely to be your ex-employee but you never know.

FYI - I'm on holiday so am only around mornings and evenings.  It's 8:30pm for me now (Spanish time).
0
 
giorgosy78Author Commented:
Thanks its 9:45pm now Cyprus time :)
0
 
giorgosy78Author Commented:
Hello again

Today i brought the server back in the office, changed the passwords of all user accounts and turned on JUST the server itself. No computers were turned on. As soon as the server turned off no signs of spam were shown to filling up my smtp queues. As soon as i turned on the computers the problem started again. I turned on each computer individually to see which is causing the problem but to my surprise i noticed that any computer i turn on the problems starts.

When i checked in the logs of GFI mail security i noticed that all emails were been sent from the same domain name. I have configured my exchange 2003 to block this particular domain in the recipient filtering and sender filtering and the problem stopped!

What do you think of this? Any ideas?

Thanks
0
 
Alan HardistyCommented:
It sounds like you have a virus that is infecting ALL computers and I would recommend you run something like Malwarebytes on every computer and remove anything it finds.
0
 
giorgosy78Author Commented:
Another important thing is that on the application event log and ms exchange transport i have this message coming every second

"SMTP Authentication was performed successfully with client "wkimw36".  The authentication method was "LOGIN" and the username was "DOMAIN\Guest".

Does this mean the guest account is compromised?

As soon as i disabled the account a log came like the one below and the above logs stopped coming.

An internal EXPS function failed while communicating with "unknown".  "CExchAuthContext::HrServerNegotiateClearTextAuth" called "HrCheckClearTextLogin" which failed with error code 0x8007052e ( f:\titanium\transmt\src\smtpsink\exps\expslib\authctx.cpp@803 ).

0
 
Alan HardistyCommented:
That does tend to suggest that your guest account is the one being abused.  Any reason why it is enabled?  It is not a good idea to have it active and most servers have it disabled.
0
 
Alan HardistyCommented:
Still scan each and every computer.
0
 
skrgaCommented:
Use wireshark http://www.wireshark.org/download.html. Install it on server and monitor network traffic, you can put IMF (internet message format) in filter so it will display only e-mails going trough network, then you should not have problem identifying pc that is sending spam. - that is how i resolved same problem you have at my work.
0
 
Alan HardistyCommented:
Problem is - it sounds like they all are infected!
0
 
giorgosy78Author Commented:
Well after i disabled the GUEST account (on whom i don't know who enabled this account) everything came back to normal.

Could it be that a virus can enable the guest account?

Anyway i will perform a full malwarebytes scan on all pcs but at least we found what the problem was thanks to you alanhardisty: so you have all my points

Thanks for all help
0
 
Alan HardistyCommented:
Viruses can do all manner of things, but I would imagine that the account was enabled for another reason.

Glad things are looking happier now.

Alan
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 10
  • 8
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now