Solved

Worst Nightmare :  Internal SMTP server compromised - sending spam - now blacklisted

Posted on 2011-03-23
6
868 Views
Last Modified: 2012-05-11
Please post, but realize I shut down my inbound mail for the time being.

I have and Exchange FE/BE setup.  My FE is inbound mail only until today(or yesterday) it has been compromised and is sending out THOUSANDS of spam as Mike Morris <secretshopper@gmail.com>

I suspect a PC compromise found my SMTP server and is sending off it.  I have 1000+ messages queued with my outbound mail currently disabled.

My IP has been blacklisted by SORBS and Barracuda.   I have scanned my network with ESET NOD 32 v4.2 to no avail.  

I need help determining the potential source.

If you can help please send a note to buffsr1 at gmail dot com
0
Comment
Question by:TumacLumber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35202720
Easy fix is to turn open relay off.. Why would you have open relay active?
You can lock it by account or lock it by IP if you need relay but open is not best practices and ends with what you have.
0
 

Author Comment

by:TumacLumber
ID: 35203437
It is not open to the outside world.  It may have been open internally which is why I think it may be a internal source that found it.   That still doesn't help me determine the source of the connections.

After disabling outbound mail on the server, if I open the messages in the queue folder.  The source IP is a public IP.  Can this be spoofed internally?  I have run my public IP against several open relay tests and they all pass.

Since everyone is going home, and I am lucky we are smaller.  I have shut all the PCs down and ita ppears to have stopped.  Now I get to start 1 by 1.
0
 

Author Comment

by:TumacLumber
ID: 35203546
Sorry stopped because I disabled internal relay.

All devices except ecxhange servers and PCs shut down.  Still happening.  Need to determine if it is coming from outside or another location.......
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Assisted Solution

by:TumacLumber
TumacLumber earned 0 total points
ID: 35203560
Header of outgoing spam


--------------------------------------------------------------------------------

Received: from User ([62.49.155.50]) by mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Wed, 23 Mar 2011 07:59:17 -0700
Reply-To: <mikemorrm@aol.com>
From: "Mike Morris"<shopperupdates@gmail.com>
Subject: MYSTERY SHOPPER JOB OFFER
Date: Wed, 23 Mar 2011 14:56:09 -0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: shopperupdates@gmail.com
Message-ID: <EX2oVNkEcjVtwxYi2zQ000008b6@mydomain.com>
X-OriginalArrivalTime: 23 Mar 2011 14:59:17.0810 (UTC) FILETIME=[E206E920:01CBE96A]

0
 

Accepted Solution

by:
TumacLumber earned 0 total points
ID: 35203976
Shut everything down on my network and disconnected ALL my VPN's.  

Only thing up are my 2 Exchange servers , my PC and a domain controller.

My external IP passes all relay tests I have tried.  Yet this a-hole is able to relay off my server.  Why I didn't check connections first is beyond me, but I assumed since my relay was locked down it must be an internal trojan relaying off my internal SMTP.

Blocking IP in firewall for now but would like help understanding why this guy can relay when the test say no relay.

   POS Spammer
0
 

Author Closing Comment

by:TumacLumber
ID: 35292480
Looked for help on how spammer got around closed relay from outside and go no responses.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question