Solved

SBS 2003 Exchange server being ATTACKED by users in current session under smtp connector

Posted on 2011-03-02
10
1,105 Views
Last Modified: 2012-05-11
Hello Experts!
I've had a hell of a past 24hours trying to figure out what is going on.
My exchange server has been working beautifully for the past 4-5 years.
I THOUGHT everything was locked down nicely until yesterday, when i see the queue with 19,000 emails...
my server is not an open relay.they're getting in someother way.
and what i see is that under the current sessions in the smtp connector, there are (for the first time) users with static ip's.  i blocked them in the connection propertires by selecting "all except the below" and i put in the static ip's of the attackers. and that worked for, 30-60 min, and then, there's a new set of ip.. but always its the same ip listed about 10 times.

Im at a loss. ive followed various steps ive found in  microsoft KB, but nothing seems to help.
0
Comment
Question by:pk24573
  • 5
  • 5
10 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020008
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020021
When the dust has settled, please have a read of my two blog articles too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

You can also empty the queues very quickly of the spam by using aqadmcli.exe which can be download from the link in the following page (with usage instructions:

http://community.spiceworks.com/how_to/show/267

Alan
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020094
im reading as we speak..
THANKS FOR THE QUICK REPLY...
and it does sound like its an authenticated relay !@#$!@#$
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35020127
Simple fix - disable Basic & Integrated Auth on your SMTP Virtual Server and restart SMTP Service.

Then reset everyone's password to long, strong, complicated ones and if you need to, add the Basic & Integrated Auth permissions back.
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020181
questions

1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails)
2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 1

Author Comment

by:pk24573
ID: 35020246
i quickly went for the simple fix, disabling the  Basic & Integrated Authentication, however i left the anonymous authentication checked. should i disable that as well, because im still receiving random users under current users?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020397
questions

>> 1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails) <<

Sender filtering is not going to help because the hacker / spammer has a username and password and is therefore a 'trusted' sender and will bypass all Anti-Spam checking you might make.

>> 2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password? <<

My blog about Brute Force Attacks should explain it a bit but basically a computer or computers out in the world have been systematically trying various combinations of username / passwords until they find one that works.  Once they find one that works - you start having your server abused.

Once you have resolved the issue - you will need to de-list yourself on the various blacklist sites:

www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org will help identify the regular ones, but you may need to contact the ones that don't drop off after a while.  Some are fairly quick to de-list you - others take about 4 weeks - some don't accept de-listing requests - some demand a small amount of money (don't pay unless you are suffering big time).

If you don't have external users sending mail to your server via SMTP then keep the Authentication on your SMTP Virtual Server to Anonymous only - then the problem won't happen again for the same reason.

Long and the short - someone has a weak password and it was guessed.  My blog advises what you can do to tighten up security to try and prevent it from happening again.

Alan
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020803
1)ive disabled the authentication as you mentioned in the smtp virtual server
2)ive applies the sender filtering

results

the queue has stopped filling up, however, the current user under the smtp virtual server still exist.



because i did have "tight" controls on the server, the spam wasn't being sent out. it was just filling up my queue, and in turn my hdd's.

when you say external users, you mean users of activsync and pop, correct? does it include OWA users as well?
im sending test emails from a domain user using owa and the email isnt being sent...(im assuming this is a result of the authentication settings)?

Thanks,
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020944
If you restart the SMTP service - the current users under the SMTP service will get disconnected, but once it starts again, only anonymous users can send you mail, which is fine.

By external users I only mean SMTP / POP users.  Activesync / OWA uses HTTPS so won't be affected.

What I have suggested should not affect outbound mail at all - only incoming mail.
0
 
LVL 1

Author Closing Comment

by:pk24573
ID: 35026604
Very thorough!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now