Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Worst Nightmare :  Internal SMTP server compromised - sending spam - now blacklisted

Posted on 2011-03-23
6
Medium Priority
?
875 Views
Last Modified: 2012-05-11
Please post, but realize I shut down my inbound mail for the time being.

I have and Exchange FE/BE setup.  My FE is inbound mail only until today(or yesterday) it has been compromised and is sending out THOUSANDS of spam as Mike Morris <secretshopper@gmail.com>

I suspect a PC compromise found my SMTP server and is sending off it.  I have 1000+ messages queued with my outbound mail currently disabled.

My IP has been blacklisted by SORBS and Barracuda.   I have scanned my network with ESET NOD 32 v4.2 to no avail.  

I need help determining the potential source.

If you can help please send a note to buffsr1 at gmail dot com
0
Comment
Question by:TumacLumber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35202720
Easy fix is to turn open relay off.. Why would you have open relay active?
You can lock it by account or lock it by IP if you need relay but open is not best practices and ends with what you have.
0
 

Author Comment

by:TumacLumber
ID: 35203437
It is not open to the outside world.  It may have been open internally which is why I think it may be a internal source that found it.   That still doesn't help me determine the source of the connections.

After disabling outbound mail on the server, if I open the messages in the queue folder.  The source IP is a public IP.  Can this be spoofed internally?  I have run my public IP against several open relay tests and they all pass.

Since everyone is going home, and I am lucky we are smaller.  I have shut all the PCs down and ita ppears to have stopped.  Now I get to start 1 by 1.
0
 

Author Comment

by:TumacLumber
ID: 35203546
Sorry stopped because I disabled internal relay.

All devices except ecxhange servers and PCs shut down.  Still happening.  Need to determine if it is coming from outside or another location.......
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Assisted Solution

by:TumacLumber
TumacLumber earned 0 total points
ID: 35203560
Header of outgoing spam


--------------------------------------------------------------------------------

Received: from User ([62.49.155.50]) by mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Wed, 23 Mar 2011 07:59:17 -0700
Reply-To: <mikemorrm@aol.com>
From: "Mike Morris"<shopperupdates@gmail.com>
Subject: MYSTERY SHOPPER JOB OFFER
Date: Wed, 23 Mar 2011 14:56:09 -0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: shopperupdates@gmail.com
Message-ID: <EX2oVNkEcjVtwxYi2zQ000008b6@mydomain.com>
X-OriginalArrivalTime: 23 Mar 2011 14:59:17.0810 (UTC) FILETIME=[E206E920:01CBE96A]

0
 

Accepted Solution

by:
TumacLumber earned 0 total points
ID: 35203976
Shut everything down on my network and disconnected ALL my VPN's.  

Only thing up are my 2 Exchange servers , my PC and a domain controller.

My external IP passes all relay tests I have tried.  Yet this a-hole is able to relay off my server.  Why I didn't check connections first is beyond me, but I assumed since my relay was locked down it must be an internal trojan relaying off my internal SMTP.

Blocking IP in firewall for now but would like help understanding why this guy can relay when the test say no relay.

   POS Spammer
0
 

Author Closing Comment

by:TumacLumber
ID: 35292480
Looked for help on how spammer got around closed relay from outside and go no responses.
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question