Solved

SBS 2003 Exchange server being ATTACKED by users in current session under smtp connector

Posted on 2011-03-02
10
1,149 Views
Last Modified: 2012-05-11
Hello Experts!
I've had a hell of a past 24hours trying to figure out what is going on.
My exchange server has been working beautifully for the past 4-5 years.
I THOUGHT everything was locked down nicely until yesterday, when i see the queue with 19,000 emails...
my server is not an open relay.they're getting in someother way.
and what i see is that under the current sessions in the smtp connector, there are (for the first time) users with static ip's.  i blocked them in the connection propertires by selecting "all except the below" and i put in the static ip's of the attackers. and that worked for, 30-60 min, and then, there's a new set of ip.. but always its the same ip listed about 10 times.

Im at a loss. ive followed various steps ive found in  microsoft KB, but nothing seems to help.
0
Comment
Question by:pk24573
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020008
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020021
When the dust has settled, please have a read of my two blog articles too:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

You can also empty the queues very quickly of the spam by using aqadmcli.exe which can be download from the link in the following page (with usage instructions:

http://community.spiceworks.com/how_to/show/267

Alan
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020094
im reading as we speak..
THANKS FOR THE QUICK REPLY...
and it does sound like its an authenticated relay !@#$!@#$
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35020127
Simple fix - disable Basic & Integrated Auth on your SMTP Virtual Server and restart SMTP Service.

Then reset everyone's password to long, strong, complicated ones and if you need to, add the Basic & Integrated Auth permissions back.
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020181
questions

1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails)
2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password?
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020246
i quickly went for the simple fix, disabling the  Basic & Integrated Authentication, however i left the anonymous authentication checked. should i disable that as well, because im still receiving random users under current users?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020397
questions

>> 1) in my scenario i need sender filtering correct? (someone is logging into my server somehow and sending emails) <<

Sender filtering is not going to help because the hacker / spammer has a username and password and is therefore a 'trusted' sender and will bypass all Anti-Spam checking you might make.

>> 2) how in the world is this happening...how are they logging in and sending the emails. is it as simple as someone finding out a password? <<

My blog about Brute Force Attacks should explain it a bit but basically a computer or computers out in the world have been systematically trying various combinations of username / passwords until they find one that works.  Once they find one that works - you start having your server abused.

Once you have resolved the issue - you will need to de-list yourself on the various blacklist sites:

www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org will help identify the regular ones, but you may need to contact the ones that don't drop off after a while.  Some are fairly quick to de-list you - others take about 4 weeks - some don't accept de-listing requests - some demand a small amount of money (don't pay unless you are suffering big time).

If you don't have external users sending mail to your server via SMTP then keep the Authentication on your SMTP Virtual Server to Anonymous only - then the problem won't happen again for the same reason.

Long and the short - someone has a weak password and it was guessed.  My blog advises what you can do to tighten up security to try and prevent it from happening again.

Alan
0
 
LVL 1

Author Comment

by:pk24573
ID: 35020803
1)ive disabled the authentication as you mentioned in the smtp virtual server
2)ive applies the sender filtering

results

the queue has stopped filling up, however, the current user under the smtp virtual server still exist.



because i did have "tight" controls on the server, the spam wasn't being sent out. it was just filling up my queue, and in turn my hdd's.

when you say external users, you mean users of activsync and pop, correct? does it include OWA users as well?
im sending test emails from a domain user using owa and the email isnt being sent...(im assuming this is a result of the authentication settings)?

Thanks,
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35020944
If you restart the SMTP service - the current users under the SMTP service will get disconnected, but once it starts again, only anonymous users can send you mail, which is fine.

By external users I only mean SMTP / POP users.  Activesync / OWA uses HTTPS so won't be affected.

What I have suggested should not affect outbound mail at all - only incoming mail.
0
 
LVL 1

Author Closing Comment

by:pk24573
ID: 35026604
Very thorough!
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question