Solved

Worst Nightmare :  Internal SMTP server compromised - sending spam - now blacklisted

Posted on 2011-03-23
6
845 Views
Last Modified: 2012-05-11
Please post, but realize I shut down my inbound mail for the time being.

I have and Exchange FE/BE setup.  My FE is inbound mail only until today(or yesterday) it has been compromised and is sending out THOUSANDS of spam as Mike Morris <secretshopper@gmail.com>

I suspect a PC compromise found my SMTP server and is sending off it.  I have 1000+ messages queued with my outbound mail currently disabled.

My IP has been blacklisted by SORBS and Barracuda.   I have scanned my network with ESET NOD 32 v4.2 to no avail.  

I need help determining the potential source.

If you can help please send a note to buffsr1 at gmail dot com
0
Comment
Question by:TumacLumber
  • 5
6 Comments
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35202720
Easy fix is to turn open relay off.. Why would you have open relay active?
You can lock it by account or lock it by IP if you need relay but open is not best practices and ends with what you have.
0
 

Author Comment

by:TumacLumber
ID: 35203437
It is not open to the outside world.  It may have been open internally which is why I think it may be a internal source that found it.   That still doesn't help me determine the source of the connections.

After disabling outbound mail on the server, if I open the messages in the queue folder.  The source IP is a public IP.  Can this be spoofed internally?  I have run my public IP against several open relay tests and they all pass.

Since everyone is going home, and I am lucky we are smaller.  I have shut all the PCs down and ita ppears to have stopped.  Now I get to start 1 by 1.
0
 

Author Comment

by:TumacLumber
ID: 35203546
Sorry stopped because I disabled internal relay.

All devices except ecxhange servers and PCs shut down.  Still happening.  Need to determine if it is coming from outside or another location.......
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Assisted Solution

by:TumacLumber
TumacLumber earned 0 total points
ID: 35203560
Header of outgoing spam


--------------------------------------------------------------------------------

Received: from User ([62.49.155.50]) by mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Wed, 23 Mar 2011 07:59:17 -0700
Reply-To: <mikemorrm@aol.com>
From: "Mike Morris"<shopperupdates@gmail.com>
Subject: MYSTERY SHOPPER JOB OFFER
Date: Wed, 23 Mar 2011 14:56:09 -0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: shopperupdates@gmail.com
Message-ID: <EX2oVNkEcjVtwxYi2zQ000008b6@mydomain.com>
X-OriginalArrivalTime: 23 Mar 2011 14:59:17.0810 (UTC) FILETIME=[E206E920:01CBE96A]

0
 

Accepted Solution

by:
TumacLumber earned 0 total points
ID: 35203976
Shut everything down on my network and disconnected ALL my VPN's.  

Only thing up are my 2 Exchange servers , my PC and a domain controller.

My external IP passes all relay tests I have tried.  Yet this a-hole is able to relay off my server.  Why I didn't check connections first is beyond me, but I assumed since my relay was locked down it must be an internal trojan relaying off my internal SMTP.

Blocking IP in firewall for now but would like help understanding why this guy can relay when the test say no relay.

   POS Spammer
0
 

Author Closing Comment

by:TumacLumber
ID: 35292480
Looked for help on how spammer got around closed relay from outside and go no responses.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question