Link to home
Start Free TrialLog in
Avatar of Yba02
Yba02Flag for Saudi Arabia

asked on

Got a spambot in my netwrok

Hi all,
I have Exchange 2003 SP2 behind ISA 2004 and Panda Enterprise as malware protection system. Today, I received an email from a user stating that emails he sent bounced back. When I checked, I found that our IP is blacklisted.  A look at the queues of ESM revealed some 25 queue folders. Those were all unknown, non-solicited destinations with one common factor: the email sender and the subject where the same.  The email is said to be sent from an international bank group, with which we have no relation whatsoever; I came to understand that my Exchange server is being used as a spambot.  However, I am short of understanding whether the spambot resides in Exchange itself, or uses an authentic user PC to send emails through our Exchange server as if it is sent from a user in the network.
I need help with the followings please:
1 – Based on the details above, can someone figure out whether the spambot resides in Exchange server or not?
2 – The rule on ISA that allows Exchange to send messages out is configured for “All users”.  If I configure that to “All authenticated users”, Exchange fails to connect to our external DNS servers (set by our ISP) and thus fails to send any positive messages.  Is it ok to keep the rule that way?
3 – How can I, after fixing this, stop spam right before it gets out of our network.  Currently, only Exchange server can get through port 25.  This eliminates the chances for other systems in the network to send spam.  However, such in the current case, if Exchange is infected, what software is there to stop spam before it spreads out?

Regards
Yba
Avatar of bearpeidog
bearpeidog
Flag of United States of America image

First thing to do is see if you are an open relay:  http://www.mxtoolbox.com/diagnostic.aspx

Check your SMTP logs on the exchange server to analyze if the messages are being sent from a client.  You might need to up the logging to see this.

Make sure you don't have outbound port 25 open for non-authorized machines. If everything can send outbound on port 25, then put a FW in to block the access from non-authorized machines.  Check firewall logs for the deny requests to see if its direct from a client workstation.

If you can view the message, look at the smtp headers.  That should include the source IP address if its relayed from the client to the exchange server.

Make sure these aren't non-delivery system messages on bounces and infact they are outbound messages.



Avatar of Leon Fester
1. Check if you can retrieve the message headers. It should point you to the originating workstation/IP Address. SMTP logs can also help, if enabled.

2. Exchange won't authenticate when trying to send email out via the ISA box.
I'd rather change the rule that only the IP of the Exchange box be allowed to send outgoing and receive incoming SMTP traffic.

3. As a rule, we disable port 25 on all workstations, and only allow an approved list of servers to relay via the exchange server. Consider changing your relay options first. A spambot would typically not  be using authentication in order to avoid easy detection, since authentication requests are typically logged in the Event logs.
Avatar of Yba02

ASKER

Hello guys,
1 - I am not an open relay, according to mxtoolbox.com.
2 - I have no clue where those messages physically are. Thus, I can not check the message header.  The only reason I knew about these messages is that I saw them in the queues.  Besides, Exchange server log files show the same host name and IP address when it comes to the email in question.  The IP address is external. It is not in my network.  Moreover, there are two external IP's and two emails (sent to 1000's of people).  Each email is constantly sent from the same IP.  Also, each of the two emails constantly has the same fake sender.
3 - For ISA rules, there is a rule in place that bans port 25 on all machines in the network, except the Exchange box.
4 - I have been personally watching the queues in ESM for the past three hours or so.  After I have deleted all the pending emails, nothing new.  Knowing that all my client PCs are off at this time in this part of the world, I tend to think that the issue is not Exchange generated. But, I am not sure.
5 - It is vital for me to know any proven software that can keep the spam inside the network, if any!
6 – Can I take action against those who own the IP address?

Thanks
Yba
ASKER CERTIFIED SOLUTION
Avatar of pwindell
pwindell
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If I were building a SPAM Bot I would:

1. Have it operate as an infection on a machine so that it would be invisible without a way to easily turn it off.

2. I would have it pre-load the messages with fake headers with trumped up public IP# so that it would appear to have involved other mail systems back-stream even though the message was actually being generated for the first time right on the locally infected workstation.

3. Try to leverage the existing MAPI Client (Outlook) so to get past the required authentication to send mail through the Corp Exchange.  Also since messages through Outlook seem to have more limited tracking information than message originating from traditional SMTP Clients it might help make tracking more difficult.

That is just my wild imagination at work,...but it seems to me to be just what these things are doing when I had to fight with one of these situations last year.
from a business prospect, i will

1. make sure i can restore the service back online with risk
to do so, i will mail relay all my email (spam or not spam) towards a mail relay services that has antispam protection.
Something like www.mailguard.com.au (they have trial version of 7 days)

this will at least get your email going out.

2. find whether it is your exchange server (if a administrator used it like a workstation and browse internet.. don laugh at this, i have seen this before), or is your client machine.

3. if you think it is your client machine, then start AV swipe on all machine and find who is sending this email out.


point 1 buy you sometimes as your email services is still working but at risk.
Avatar of Yba02

ASKER

A comprehensive answer that left no points unanswered.
So what was it that solved your problem?
Avatar of Yba02

ASKER

It was not only because the problem was solved; it was also because the answer chosen addressed my problem in every detail I have raised.
I have read the article.  It speaks about something similar to my case, but not exactly the case I have.
After comprehensive analysis, close-eye on Exchange queues and using trial and error to eliminate potential causes one by one, here is the part that solved my problem:
"3. It is going to be an infected user machine.  The users machines is using the mail server with the SPAM infection either acting like a mail client itself or using the existing configured mail client, therefore the Mail Headers are useless because this method make your Mail server the origination point,...and it is not fake,...your mail server really is the true origination point."

Hope this helps.


That's great - thanks for the clarification.  It will help future searchers who come across this question.

Alan
Thanks for everyone's input.
Thanks Yba02 for clarifying what actually solved it.

Good luck with it.