[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Got a spambot in my netwrok

Posted on 2011-05-02
Medium Priority
Last Modified: 2012-05-11
Hi all,
I have Exchange 2003 SP2 behind ISA 2004 and Panda Enterprise as malware protection system. Today, I received an email from a user stating that emails he sent bounced back. When I checked, I found that our IP is blacklisted.  A look at the queues of ESM revealed some 25 queue folders. Those were all unknown, non-solicited destinations with one common factor: the email sender and the subject where the same.  The email is said to be sent from an international bank group, with which we have no relation whatsoever; I came to understand that my Exchange server is being used as a spambot.  However, I am short of understanding whether the spambot resides in Exchange itself, or uses an authentic user PC to send emails through our Exchange server as if it is sent from a user in the network.
I need help with the followings please:
1 – Based on the details above, can someone figure out whether the spambot resides in Exchange server or not?
2 – The rule on ISA that allows Exchange to send messages out is configured for “All users”.  If I configure that to “All authenticated users”, Exchange fails to connect to our external DNS servers (set by our ISP) and thus fails to send any positive messages.  Is it ok to keep the rule that way?
3 – How can I, after fixing this, stop spam right before it gets out of our network.  Currently, only Exchange server can get through port 25.  This eliminates the chances for other systems in the network to send spam.  However, such in the current case, if Exchange is infected, what software is there to stop spam before it spreads out?

Question by:Yba02
  • 3
  • 3
  • 3
  • +3

Expert Comment

ID: 35508276
First thing to do is see if you are an open relay:  http://www.mxtoolbox.com/diagnostic.aspx

Check your SMTP logs on the exchange server to analyze if the messages are being sent from a client.  You might need to up the logging to see this.

Make sure you don't have outbound port 25 open for non-authorized machines. If everything can send outbound on port 25, then put a FW in to block the access from non-authorized machines.  Check firewall logs for the deny requests to see if its direct from a client workstation.

If you can view the message, look at the smtp headers.  That should include the source IP address if its relayed from the client to the exchange server.

Make sure these aren't non-delivery system messages on bounces and infact they are outbound messages.

LVL 26

Expert Comment

by:Leon Fester
ID: 35508794
1. Check if you can retrieve the message headers. It should point you to the originating workstation/IP Address. SMTP logs can also help, if enabled.

2. Exchange won't authenticate when trying to send email out via the ISA box.
I'd rather change the rule that only the IP of the Exchange box be allowed to send outgoing and receive incoming SMTP traffic.

3. As a rule, we disable port 25 on all workstations, and only allow an approved list of servers to relay via the exchange server. Consider changing your relay options first. A spambot would typically not  be using authentication in order to avoid easy detection, since authentication requests are typically logged in the Event logs.

Author Comment

ID: 35508986
Hello guys,
1 - I am not an open relay, according to mxtoolbox.com.
2 - I have no clue where those messages physically are. Thus, I can not check the message header.  The only reason I knew about these messages is that I saw them in the queues.  Besides, Exchange server log files show the same host name and IP address when it comes to the email in question.  The IP address is external. It is not in my network.  Moreover, there are two external IP's and two emails (sent to 1000's of people).  Each email is constantly sent from the same IP.  Also, each of the two emails constantly has the same fake sender.
3 - For ISA rules, there is a rule in place that bans port 25 on all machines in the network, except the Exchange box.
4 - I have been personally watching the queues in ESM for the past three hours or so.  After I have deleted all the pending emails, nothing new.  Knowing that all my client PCs are off at this time in this part of the world, I tend to think that the issue is not Exchange generated. But, I am not sure.
5 - It is vital for me to know any proven software that can keep the spam inside the network, if any!
6 – Can I take action against those who own the IP address?

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 76

Expert Comment

by:Alan Hardisty
ID: 35517231
LVL 29

Accepted Solution

pwindell earned 1000 total points
ID: 35517352
1. It would not be on the mail server (been down that road)

2. Mail headers are not going to help (been down that road, too)

3. It is going to be an infected user machine.  The users machines is using the mail server with the SPAM infection either acting like a mail client itself or using the existing configured mail client, therefore the Mail Headers are useless because this method make your Mail server the origination point,...and it is not fake,...your mail server really is the true origination point.

What to do....

Scan every machine on the LAN, WAN, Remote Users, etc.  You may have to scan with multiple products because no one product gets it all.

Find a third party you can use as a SMTP Smart Host that will filter out SPAM comming from your system.  This could be a cloud service or an appliance you put in your own LAN.  You will have to have your MX Record and your DNS Reverse Lookup Pointer records altered to correspond to the address change that would ensue from doing this.

Comments on your numbered list:

1. A Default Installation of Exchange will not be an open relay.  It only becomes an open relay when people screw around with it in ways they should not.
2. Can't explain the public IP#s in the Headers,..but they could be faked as well.
3. ISA not allowing SMTP from anywhere but Exchange,....excellent choice!!!
4. Yes it is coming from an infected client (any infected client) maybe even a VPN user,...it could just simply be any client,...doesn't even have to be a domain member (but probably is a domain member).  When the user goes "offline" the SPAM will stop.  Paying attention to the those start-times and stop-times can help narrow down the infected client.
5. Barracuda makes great Spam Filitering Appliances.  They are capable of filtering in both directions, but may be best if you use a separate device for each direction (one for inbound, one for outbound).
6. No you can't take action against IP addresses:
     A. they are probably faked anyway
     B. if not faked then they are probably just infected victims "along the way" just like you and either don't know they are infected or are struggling with it just like you.  Would you want anyone to take action against you, since you would appear in the headers they get?

LVL 29

Expert Comment

ID: 35517450
If I were building a SPAM Bot I would:

1. Have it operate as an infection on a machine so that it would be invisible without a way to easily turn it off.

2. I would have it pre-load the messages with fake headers with trumped up public IP# so that it would appear to have involved other mail systems back-stream even though the message was actually being generated for the first time right on the locally infected workstation.

3. Try to leverage the existing MAPI Client (Outlook) so to get past the required authentication to send mail through the Corp Exchange.  Also since messages through Outlook seem to have more limited tracking information than message originating from traditional SMTP Clients it might help make tracking more difficult.

That is just my wild imagination at work,...but it seems to me to be just what these things are doing when I had to fight with one of these situations last year.
LVL 37

Expert Comment

by:Jian An Lim
ID: 35533093
from a business prospect, i will

1. make sure i can restore the service back online with risk
to do so, i will mail relay all my email (spam or not spam) towards a mail relay services that has antispam protection.
Something like www.mailguard.com.au (they have trial version of 7 days)

this will at least get your email going out.

2. find whether it is your exchange server (if a administrator used it like a workstation and browse internet.. don laugh at this, i have seen this before), or is your client machine.

3. if you think it is your client machine, then start AV swipe on all machine and find who is sending this email out.

point 1 buy you sometimes as your email services is still working but at risk.

Author Closing Comment

ID: 35713091
A comprehensive answer that left no points unanswered.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35713105
So what was it that solved your problem?

Author Comment

ID: 35713209
It was not only because the problem was solved; it was also because the answer chosen addressed my problem in every detail I have raised.
I have read the article.  It speaks about something similar to my case, but not exactly the case I have.
After comprehensive analysis, close-eye on Exchange queues and using trial and error to eliminate potential causes one by one, here is the part that solved my problem:
"3. It is going to be an infected user machine.  The users machines is using the mail server with the SPAM infection either acting like a mail client itself or using the existing configured mail client, therefore the Mail Headers are useless because this method make your Mail server the origination point,...and it is not fake,...your mail server really is the true origination point."

Hope this helps.

LVL 76

Expert Comment

by:Alan Hardisty
ID: 35713277
That's great - thanks for the clarification.  It will help future searchers who come across this question.

LVL 29

Expert Comment

ID: 35720522
Thanks for everyone's input.
Thanks Yba02 for clarifying what actually solved it.

Good luck with it.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
How to effectively resolve the number one email related issue received by helpdesks.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month19 days, 18 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question