Solved

Sending massive amount of spam

Posted on 2011-02-21
22
1,299 Views
Last Modified: 2012-05-11
Hi all

Today i received a call from one of my customers complaining that he is not able to send emails. His running an exchange 2003 server. As soon as i got there i checked the queues and saw thousands of spam messages waiting to be sent.
I created a dump exchange smtp connector, and deleted more that 60000 of spam messages. I have blocked port 25 on the firewall for all computers in the network, stopped the SMTP service on the exchange, turned off all the computers in the office, installed GFI mail security and essentials for exchange and did a full virus and malware scan on the server using norton, malwarebytes and superantispyware. Both gfi for exchange and the virus and malware scan found nothing on the server.

As soon as  i started the SMTP service i could see again in the queues massive amounts of spam trying to get through the dump smtp exchange connector.

I unplugged the server from the client's office and took it with me in my office lab. Its been 2 hours now that i am sending and receiving emails without any sign of spam leaving my server.

Can anybody give me a clue how can i observe the problem at the client's office?

Thanks
0
Comment
Question by:giorgosy78
  • 10
  • 8
  • 3
  • +1
22 Comments
 
LVL 2

Expert Comment

by:squirrelnuttz
Comment Utility
when the smtp queue was filling up could you see what user account was sending it? could be a virus on a client machine. also have you checked your smtp relay settings? Its best practice to not run a open relay mail server.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
0
 

Author Comment

by:giorgosy78
Comment Utility
I could see from the logs of GFI mail security that the sender is every second someone with different email address and the originating IP comes from random countries.. As i said before i have switched off all the computers in the network. Only the server was turned on. I have verified that the server is not a mail rely through mxtoolbox and granted access for rely only the exchange server which is the only server in the office. This server has been running for 4 years without any problems.

This problem just started today and drives me crazy.
As i said i have the server with me on a different WAN network with different internet IP Address and there are not problems with the server.I can send and receive emails without problems and without spam filling up the smtp queue.

Could be that someone is attacking the particular internet IP in the clients office? And if yes how can i verify that?

Thanks

0
 

Author Comment

by:giorgosy78
Comment Utility
alanhardisty

I will try the steps you mention in your article tomorrow morning when i return the exchange server back to the customer's office and let you know. Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You are an authenticated relay then!  One (or more) of your username / passwords has been compromised and my article will help you find out which account and what to do about it.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I would get onto the server asap as the longer you leave it - the bigger the problem and the more blacklists you will be on!!
0
 

Author Comment

by:giorgosy78
Comment Utility
Well the strange thing is that this problem happens only on the client's network.

I have brought the server with me in my lab office which is a completely different network with different ISP and there are no signs of problems at all.

How can you explain this?
0
 
LVL 2

Expert Comment

by:squirrelnuttz
Comment Utility
if the email is coming from outside on the wan, then it would hit the email server while it was in your office, unless you changed your mx records to point to its new ip
0
 
LVL 2

Expert Comment

by:squirrelnuttz
Comment Utility
would not hit sorry
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If you have taken the server with you - the spammer doesn't know the IP address of the server and thus can't login to it to send spam.

This isn't an internal issue or a virus in the LAN, it is a compromised account.

If you don't have many users, change ALL the passwords and then put the server back and the problem will be solved (until they crack a password again).

Please also have a read of my blogs:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:giorgosy78
Comment Utility
Well that makes a lot of sense because recently an employee got fired from the company and i remember he was very pissed off.

Thanks for all help, i 'll see what i can do tomorrow
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
It is unlikely to be your ex-employee but you never know.

FYI - I'm on holiday so am only around mornings and evenings.  It's 8:30pm for me now (Spanish time).
0
 

Author Comment

by:giorgosy78
Comment Utility
Thanks its 9:45pm now Cyprus time :)
0
 

Author Comment

by:giorgosy78
Comment Utility
Hello again

Today i brought the server back in the office, changed the passwords of all user accounts and turned on JUST the server itself. No computers were turned on. As soon as the server turned off no signs of spam were shown to filling up my smtp queues. As soon as i turned on the computers the problem started again. I turned on each computer individually to see which is causing the problem but to my surprise i noticed that any computer i turn on the problems starts.

When i checked in the logs of GFI mail security i noticed that all emails were been sent from the same domain name. I have configured my exchange 2003 to block this particular domain in the recipient filtering and sender filtering and the problem stopped!

What do you think of this? Any ideas?

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
It sounds like you have a virus that is infecting ALL computers and I would recommend you run something like Malwarebytes on every computer and remove anything it finds.
0
 

Author Comment

by:giorgosy78
Comment Utility
Another important thing is that on the application event log and ms exchange transport i have this message coming every second

"SMTP Authentication was performed successfully with client "wkimw36".  The authentication method was "LOGIN" and the username was "DOMAIN\Guest".

Does this mean the guest account is compromised?

As soon as i disabled the account a log came like the one below and the above logs stopped coming.

An internal EXPS function failed while communicating with "unknown".  "CExchAuthContext::HrServerNegotiateClearTextAuth" called "HrCheckClearTextLogin" which failed with error code 0x8007052e ( f:\titanium\transmt\src\smtpsink\exps\expslib\authctx.cpp@803 ).

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That does tend to suggest that your guest account is the one being abused.  Any reason why it is enabled?  It is not a good idea to have it active and most servers have it disabled.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Still scan each and every computer.
0
 
LVL 5

Expert Comment

by:skrga
Comment Utility
Use wireshark http://www.wireshark.org/download.html. Install it on server and monitor network traffic, you can put IMF (internet message format) in filter so it will display only e-mails going trough network, then you should not have problem identifying pc that is sending spam. - that is how i resolved same problem you have at my work.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Problem is - it sounds like they all are infected!
0
 

Author Comment

by:giorgosy78
Comment Utility
Well after i disabled the GUEST account (on whom i don't know who enabled this account) everything came back to normal.

Could it be that a virus can enable the guest account?

Anyway i will perform a full malwarebytes scan on all pcs but at least we found what the problem was thanks to you alanhardisty: so you have all my points

Thanks for all help
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Viruses can do all manner of things, but I would imagine that the account was enabled for another reason.

Glad things are looking happier now.

Alan
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now