Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1156
  • Last Modified:

SBS 2003 Exchange server being ATTACKED by users in current session under smtp connector

Hello Experts!
I've had a hell of a past 24hours trying to figure out what is going on.
My exchange server has been working beautifully for the past 4-5 years.
I THOUGHT everything was locked down nicely until yesterday, when i see the queue with 19,000 emails...
my server is not an open relay.they're getting in someother way.
and what i see is that under the current sessions in the smtp connector, there are (for the first time) users with static ip's.  i blocked them in the connection propertires by selecting "all except the below" and i put in the static ip's of the attackers. and that worked for, 30-60 min, and then, there's a new set of ip.. but always its the same ip listed about 10 times.

Im at a loss. ive followed various steps ive found in  microsoft KB, but nothing seems to help.
0
pk24573
Asked:
pk24573
  • 5
  • 5
1 Solution
 
Alan HardistyCommented:
0
 
Alan HardistyCommented:
When the dust has settled, please have a read of my two blog articles too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

You can also empty the queues very quickly of the spam by using aqadmcli.exe which can be download from the link in the following page (with usage instructions:

http://community.spiceworks.com/how_to/show/267

Alan
0
 
pk24573Author Commented:
im reading as we speak..
THANKS FOR THE QUICK REPLY...
and it does sound like its an authenticated relay !@#$!@#$
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Alan HardistyCommented:
Simple fix - disable Basic & Integrated Auth on your SMTP Virtual Server and restart SMTP Service.

Then reset everyone's password to long, strong, complicated ones and if you need to, add the Basic & Integrated Auth permissions back.
0
 
pk24573Author Commented:
questions

1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails)
2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password?
0
 
pk24573Author Commented:
i quickly went for the simple fix, disabling the  Basic & Integrated Authentication, however i left the anonymous authentication checked. should i disable that as well, because im still receiving random users under current users?
0
 
Alan HardistyCommented:
questions

>> 1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails) <<

Sender filtering is not going to help because the hacker / spammer has a username and password and is therefore a 'trusted' sender and will bypass all Anti-Spam checking you might make.

>> 2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password? <<

My blog about Brute Force Attacks should explain it a bit but basically a computer or computers out in the world have been systematically trying various combinations of username / passwords until they find one that works.  Once they find one that works - you start having your server abused.

Once you have resolved the issue - you will need to de-list yourself on the various blacklist sites:

www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org will help identify the regular ones, but you may need to contact the ones that don't drop off after a while.  Some are fairly quick to de-list you - others take about 4 weeks - some don't accept de-listing requests - some demand a small amount of money (don't pay unless you are suffering big time).

If you don't have external users sending mail to your server via SMTP then keep the Authentication on your SMTP Virtual Server to Anonymous only - then the problem won't happen again for the same reason.

Long and the short - someone has a weak password and it was guessed.  My blog advises what you can do to tighten up security to try and prevent it from happening again.

Alan
0
 
pk24573Author Commented:
1)ive disabled the authentication as you mentioned in the smtp virtual server
2)ive applies the sender filtering

results

the queue has stopped filling up, however, the current user under the smtp virtual server still exist.



because i did have "tight" controls on the server, the spam wasn't being sent out. it was just filling up my queue, and in turn my hdd's.

when you say external users, you mean users of activsync and pop, correct? does it include OWA users as well?
im sending test emails from a domain user using owa and the email isnt being sent...(im assuming this is a result of the authentication settings)?

Thanks,
0
 
Alan HardistyCommented:
If you restart the SMTP service - the current users under the SMTP service will get disconnected, but once it starts again, only anonymous users can send you mail, which is fine.

By external users I only mean SMTP / POP users.  Activesync / OWA uses HTTPS so won't be affected.

What I have suggested should not affect outbound mail at all - only incoming mail.
0
 
pk24573Author Commented:
Very thorough!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now