Trying to find the source of SPAM

BHForum
BHForum used Ask the Experts™
on
My Exchange 2003 server outbound queues are loading up with SPAM.  Luckily, all email goes through our Barracuda, so everything got rate controlled to stop most of the email from leaving. I have the server tarpitted, but it looks like the SPAM is coming from an outside server relaying through mine. Here is a sample of the logs:

# Date      Time      client-ip      Client-hostname      Partner-Name      Server-hostname
5/15/2011      20:41:51 GMT      89.19.23.114      ESX20-1867      -      
5/15/2011      20:41:51 GMT      89.19.23.114      ESX20-1867      -      
5/15/2011      20:41:51 GMT      89.19.23.114      ESX20-1867      -      
5/15/2011      20:41:51 GMT      89.19.23.114      ESX20-1867      -      
5/15/2011      20:41:51 GMT      89.19.23.114      ESX20-1867      -      
5/15/2011      20:41:51 GMT      89.19.23.114      ESX20-1867      -      

When I try to telnet into the Exchange server and send an email it shows that relaying cannot happen. What am I missing?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shabarinath RamadasanInfrastructure Architect

Commented:
Why should you allow an external machine to relay mails through your SMTP servers?
It should be restricted first.

Shaba
Co-Owner
Top Expert 2011
Commented:

Author

Commented:
alanhardisty

Thanks! I have setup the logging. It looks like this is happening every couple of days. I may or may not see log entries soon as I have changed the password for the domain admin to a pretty secure and pretty random password. If it's another account, I should definitely see it soon.

Thanks again! I should have some sort of results by the end of the week.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
alanhardisty

Sorry...let me clarify some other points. This must be "authenticated relaying" as the source address is not within my domain and the emails are not NDRs. For inbound emails, our Barracuda does the authenticating and rejecting of invalid recipients.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Well - if the Barracuda is authenticating the users - it presumably can still authenticate a spammer who has brute force attacked your system and obtained a username / password combo on a weak password account.

Do you allow Authenticated SMTP mail into your network, or just anonymous mail?

If you allow any form of authentication, then due to the Barracuda, increasing the logging on Windows probably won't help.

Can you increase the logging on the Barracuda?

Of course - it could always be a user using RPC over HTTPS with an infection too or an infected local computer.

Alan

Author

Commented:
The logs show an external IP address as the source, though. Does that make a difference?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Okay - if the external IP is the source, then someone external to your network is spamming via your server using a username / password to authenticate.

If you can't use the Barracuda logs to show which account is being used, then you might be faced with resetting ALL the passwords on your server, which will either be painful or not too bad, but necessary to put a stop to this attack.

Author

Commented:
I have about 65 users. If they gotta reset passwords, they gotta reset passwords. They are already on 90 day passwords with complexity rules in place (which is what leads me to believe it may be an administrative account). If the admin account is the case, I shouldn't see any more of this in the next few days. If it is someone else's account, it will be education time yet again. I should know by the weekend if this is fixed or not.

Thanks again!
Alan HardistyCo-Owner
Top Expert 2011

Commented:
You are welcome - at least you don't have 2,000+ accounts : )

If the users are on 90 day / complex passwords - then you might find a random account like admin / backup / or something as you say being used for admin purposes that has bypassed the stringent security measures and got picked off by a hacker.

I have been disabling Basic & Integrated Windows Authentication for all the servers I look after to prevent this form of attack (seen it way too may times to want to see one again - very messy).

Good luck.

Alan

Author

Commented:
Just as an update. It's Friday, still no SPAM flooding.

Setting the MSExchangeTransport logging of "Authentication" to maximun should log any authentication into the Security logs in the Event Viewer, correct? I haven't had any entries since 3/5/2011. Is that normal?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Good news!  Logging in Exchange won't show anything if your users are being authenticated on the Barracuda device - so it would seem that whatever passwords you have changed so far included the account that was being abused.

Author

Commented:
I know the Barracuda wasn't where the login was occuring since the Exchange queues were backing up. Still clean today, looks like the password change did it. I'll still keep an eye out, but I think we're good to go. If not, I should get something in the security logs.

Thanks a bunch!!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial