We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Compromised configuration: Exchange 2003 & Open relay?

Medium Priority
644 Views
Last Modified: 2012-05-11
After a call from my ISP last night it appears someone has been sending spam through our exchange server.  I have checked the usual places, however found some alarming 'default' settings.

We do not allow relaying from any old IP, (Only 127.0.0.1 and the 192.168.0.XX (IP of domain controller - Exchange also hosted on same machine).

What would be the first setting to check? This needs securing before my ISP will allow me to send mail again!

Thanks!
Comment
Watch Question

Rajith EnchiparambilOffice 365 & Exchange Architect
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:

Author

Commented:
Nope, not showing as an open relay (However I have trawled through config and changed several security options to alleviate the problem already.

Alan, I will read all of your links and reply back. Thank you both for such a prompt reply!
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
You are welcome - seen it time and time again, so it's an easy one to diagnose!
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Anonymous Access is required otherwise you won't receive any mail.  Please leave that one ticked - the others are questionable, but Anonymous is essential.

Please read my article first - and then the blogs.
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Co-Owner
CERTIFIED EXPERT
Top Expert 2011
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Yes, we do use RPC over HTTPS (Mostly for Outlook over HTTP for remote workers). We also have iDevices and WinMo devices fetching email - Some by POP/IMAP unfortunately. I have blocked access to the IP address in question anyway to further deter any connection attempts. I will continue to read your guide and tweak any security where I can. I'm going to award points as you've helped me lock up the box and find the root of the problem.

Moral of the story: Keep a bloody good eye on your user accounts!
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Yep - that's a good moral.

It is usually a forgotten about account with a weak password that gets located first.  If you can lose the POP / IMAP / SMTP access, it would improve security and also make sure you don't have RDP (TCP port 3389) open and forwarded to the server as that's another sure-fire way to get hacked!

Glad things are looking better.

Alan

Author

Commented:
I opted for the VPN, then RDP approach instead of opening port 3389 direct to the interwibble!

Take care,
UncleVirus
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
A much better option - and much safer.

So go tweak your Security policies and upset your users by forcing horribly long and complex passwords.

Did you manage to avoid the blacklists?  www.mxtoolbox.com/blacklists.aspx / www.blacklistalert.org

Alan

Author

Commented:
Apologies thought I closed this.

We did indeed avoid the blacklists, however Zen weren't too happy (Mailhost relay) - All sorted now though :-)
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.