[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Compromised configuration: Exchange 2003 & Open relay?

Posted on 2011-04-27
13
Medium Priority
?
616 Views
Last Modified: 2012-05-11
After a call from my ISP last night it appears someone has been sending spam through our exchange server.  I have checked the usual places, however found some alarming 'default' settings.

We do not allow relaying from any old IP, (Only 127.0.0.1 and the 192.168.0.XX (IP of domain controller - Exchange also hosted on same machine).

What would be the first setting to check? This needs securing before my ISP will allow me to send mail again!

Thanks!
0
Comment
Question by:UncleVirus
  • 6
  • 6
13 Comments
 
LVL 24

Assisted Solution

by:Rajith Enchiparambil
Rajith Enchiparambil earned 400 total points
ID: 35475884
Check whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Check whether you are blacklisted here http://www.mxtoolbox.com/blacklists.aspx

That will give a good idea as to where you stand.
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35475911
Nope, not showing as an open relay (However I have trawled through config and changed several security options to alleviate the problem already.

Alan, I will read all of your links and reply back. Thank you both for such a prompt reply!
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35476027
You are welcome - seen it time and time again, so it's an easy one to diagnose!
0
 
LVL 1

Assisted Solution

by:UncleVirus
UncleVirus earned 0 total points
ID: 35476069
I think I found the cause of the problem...

Under the default SMTP Virtual Server properties, 'Anonymous Access' was ticked.

I have *NO IDEA* why this would have been ticked previously, but upon enabling it (temporarily), I have seen access attempts and the emails have started pouring out again.

I'm pretty sure this is the root cause, but I'm still making my way through the articles/blogs you gave me.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35476139
Anonymous Access is required otherwise you won't receive any mail.  Please leave that one ticked - the others are questionable, but Anonymous is essential.

Please read my article first - and then the blogs.
0
 
LVL 1

Assisted Solution

by:UncleVirus
UncleVirus earned 0 total points
ID: 35476207
After following your guide, I have traced eventID 1708 to a user called 'TEST' created on our network. This seems to be how they got in, no doubt with a brute-force/dictionaryt attack. Time for a security audit methinks....!

Thank you for sharing that link, alan - It came in extremely useful in tracking down the sender - Not as easy as you'd think!
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1600 total points
ID: 35476362
Nope - they can be tricky but hopefully now you have closed the hole.

My blogs discuss some security measures you might want to incorporate and also the SMTP Virtual Server settings that may / may not be needed.  If you only have Anonymous Access enabled - this sort of problem won't happen again.

Do you have external users using SMTP / POP3 on your server or have you got RPC over HTTPS configured (which means you can lose Basic & Integrated Windows Authentication)?
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35476452
Yes, we do use RPC over HTTPS (Mostly for Outlook over HTTP for remote workers). We also have iDevices and WinMo devices fetching email - Some by POP/IMAP unfortunately. I have blocked access to the IP address in question anyway to further deter any connection attempts. I will continue to read your guide and tweak any security where I can. I'm going to award points as you've helped me lock up the box and find the root of the problem.

Moral of the story: Keep a bloody good eye on your user accounts!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35476631
Yep - that's a good moral.

It is usually a forgotten about account with a weak password that gets located first.  If you can lose the POP / IMAP / SMTP access, it would improve security and also make sure you don't have RDP (TCP port 3389) open and forwarded to the server as that's another sure-fire way to get hacked!

Glad things are looking better.

Alan
0
 
LVL 1

Author Comment

by:UncleVirus
ID: 35476652
I opted for the VPN, then RDP approach instead of opening port 3389 direct to the interwibble!

Take care,
UncleVirus
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35477229
A much better option - and much safer.

So go tweak your Security policies and upset your users by forcing horribly long and complex passwords.

Did you manage to avoid the blacklists?  www.mxtoolbox.com/blacklists.aspx / www.blacklistalert.org

Alan
0
 
LVL 1

Author Closing Comment

by:UncleVirus
ID: 35783707
Apologies thought I closed this.

We did indeed avoid the blacklists, however Zen weren't too happy (Mailhost relay) - All sorted now though :-)
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Suggested Courses
Course of the Month17 days, 18 hours left to enroll

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question