• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 621
  • Last Modified:

Compromised configuration: Exchange 2003 & Open relay?

After a call from my ISP last night it appears someone has been sending spam through our exchange server.  I have checked the usual places, however found some alarming 'default' settings.

We do not allow relaying from any old IP, (Only 127.0.0.1 and the 192.168.0.XX (IP of domain controller - Exchange also hosted on same machine).

What would be the first setting to check? This needs securing before my ISP will allow me to send mail again!

Thanks!
0
UncleVirus
Asked:
UncleVirus
  • 6
  • 6
4 Solutions
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Check whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Check whether you are blacklisted here http://www.mxtoolbox.com/blacklists.aspx

That will give a good idea as to where you stand.
0
 
UncleVirusAuthor Commented:
Nope, not showing as an open relay (However I have trawled through config and changed several security options to alleviate the problem already.

Alan, I will read all of your links and reply back. Thank you both for such a prompt reply!
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Alan HardistyCo-OwnerCommented:
You are welcome - seen it time and time again, so it's an easy one to diagnose!
0
 
UncleVirusAuthor Commented:
I think I found the cause of the problem...

Under the default SMTP Virtual Server properties, 'Anonymous Access' was ticked.

I have *NO IDEA* why this would have been ticked previously, but upon enabling it (temporarily), I have seen access attempts and the emails have started pouring out again.

I'm pretty sure this is the root cause, but I'm still making my way through the articles/blogs you gave me.
0
 
Alan HardistyCo-OwnerCommented:
Anonymous Access is required otherwise you won't receive any mail.  Please leave that one ticked - the others are questionable, but Anonymous is essential.

Please read my article first - and then the blogs.
0
 
UncleVirusAuthor Commented:
After following your guide, I have traced eventID 1708 to a user called 'TEST' created on our network. This seems to be how they got in, no doubt with a brute-force/dictionaryt attack. Time for a security audit methinks....!

Thank you for sharing that link, alan - It came in extremely useful in tracking down the sender - Not as easy as you'd think!
0
 
Alan HardistyCo-OwnerCommented:
Nope - they can be tricky but hopefully now you have closed the hole.

My blogs discuss some security measures you might want to incorporate and also the SMTP Virtual Server settings that may / may not be needed.  If you only have Anonymous Access enabled - this sort of problem won't happen again.

Do you have external users using SMTP / POP3 on your server or have you got RPC over HTTPS configured (which means you can lose Basic & Integrated Windows Authentication)?
0
 
UncleVirusAuthor Commented:
Yes, we do use RPC over HTTPS (Mostly for Outlook over HTTP for remote workers). We also have iDevices and WinMo devices fetching email - Some by POP/IMAP unfortunately. I have blocked access to the IP address in question anyway to further deter any connection attempts. I will continue to read your guide and tweak any security where I can. I'm going to award points as you've helped me lock up the box and find the root of the problem.

Moral of the story: Keep a bloody good eye on your user accounts!
0
 
Alan HardistyCo-OwnerCommented:
Yep - that's a good moral.

It is usually a forgotten about account with a weak password that gets located first.  If you can lose the POP / IMAP / SMTP access, it would improve security and also make sure you don't have RDP (TCP port 3389) open and forwarded to the server as that's another sure-fire way to get hacked!

Glad things are looking better.

Alan
0
 
UncleVirusAuthor Commented:
I opted for the VPN, then RDP approach instead of opening port 3389 direct to the interwibble!

Take care,
UncleVirus
0
 
Alan HardistyCo-OwnerCommented:
A much better option - and much safer.

So go tweak your Security policies and upset your users by forcing horribly long and complex passwords.

Did you manage to avoid the blacklists?  www.mxtoolbox.com/blacklists.aspx / www.blacklistalert.org

Alan
0
 
UncleVirusAuthor Commented:
Apologies thought I closed this.

We did indeed avoid the blacklists, however Zen weren't too happy (Mailhost relay) - All sorted now though :-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now