Solved

Worst Nightmare :  Internal SMTP server compromised - sending spam - now blacklisted

Posted on 2011-03-23
6
854 Views
Last Modified: 2012-05-11
Please post, but realize I shut down my inbound mail for the time being.

I have and Exchange FE/BE setup.  My FE is inbound mail only until today(or yesterday) it has been compromised and is sending out THOUSANDS of spam as Mike Morris <secretshopper@gmail.com>

I suspect a PC compromise found my SMTP server and is sending off it.  I have 1000+ messages queued with my outbound mail currently disabled.

My IP has been blacklisted by SORBS and Barracuda.   I have scanned my network with ESET NOD 32 v4.2 to no avail.  

I need help determining the potential source.

If you can help please send a note to buffsr1 at gmail dot com
0
Comment
Question by:TumacLumber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 10

Expert Comment

by:Hutch_77
ID: 35202720
Easy fix is to turn open relay off.. Why would you have open relay active?
You can lock it by account or lock it by IP if you need relay but open is not best practices and ends with what you have.
0
 

Author Comment

by:TumacLumber
ID: 35203437
It is not open to the outside world.  It may have been open internally which is why I think it may be a internal source that found it.   That still doesn't help me determine the source of the connections.

After disabling outbound mail on the server, if I open the messages in the queue folder.  The source IP is a public IP.  Can this be spoofed internally?  I have run my public IP against several open relay tests and they all pass.

Since everyone is going home, and I am lucky we are smaller.  I have shut all the PCs down and ita ppears to have stopped.  Now I get to start 1 by 1.
0
 

Author Comment

by:TumacLumber
ID: 35203546
Sorry stopped because I disabled internal relay.

All devices except ecxhange servers and PCs shut down.  Still happening.  Need to determine if it is coming from outside or another location.......
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Assisted Solution

by:TumacLumber
TumacLumber earned 0 total points
ID: 35203560
Header of outgoing spam


--------------------------------------------------------------------------------

Received: from User ([62.49.155.50]) by mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Wed, 23 Mar 2011 07:59:17 -0700
Reply-To: <mikemorrm@aol.com>
From: "Mike Morris"<shopperupdates@gmail.com>
Subject: MYSTERY SHOPPER JOB OFFER
Date: Wed, 23 Mar 2011 14:56:09 -0000
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: shopperupdates@gmail.com
Message-ID: <EX2oVNkEcjVtwxYi2zQ000008b6@mydomain.com>
X-OriginalArrivalTime: 23 Mar 2011 14:59:17.0810 (UTC) FILETIME=[E206E920:01CBE96A]

0
 

Accepted Solution

by:
TumacLumber earned 0 total points
ID: 35203976
Shut everything down on my network and disconnected ALL my VPN's.  

Only thing up are my 2 Exchange servers , my PC and a domain controller.

My external IP passes all relay tests I have tried.  Yet this a-hole is able to relay off my server.  Why I didn't check connections first is beyond me, but I assumed since my relay was locked down it must be an internal trojan relaying off my internal SMTP.

Blocking IP in firewall for now but would like help understanding why this guy can relay when the test say no relay.

   POS Spammer
0
 

Author Closing Comment

by:TumacLumber
ID: 35292480
Looked for help on how spammer got around closed relay from outside and go no responses.
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Best in class privacy policy 6 86
Fraud Email 22 127
Symantec Endpoint Production 14 Questions 3 52
sample of wannacry 3 250
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question