BHForum
asked on
Trying to find the source of SPAM
My Exchange 2003 server outbound queues are loading up with SPAM. Luckily, all email goes through our Barracuda, so everything got rate controlled to stop most of the email from leaving. I have the server tarpitted, but it looks like the SPAM is coming from an outside server relaying through mine. Here is a sample of the logs:
# Date Time client-ip Client-hostname Partner-Name Server-hostname
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
When I try to telnet into the Exchange server and send an email it shows that relaying cannot happen. What am I missing?
# Date Time client-ip Client-hostname Partner-Name Server-hostname
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
5/15/2011 20:41:51 GMT 89.19.23.114 ESX20-1867 -
When I try to telnet into the Exchange server and send an email it shows that relaying cannot happen. What am I missing?
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
alanhardisty
Thanks! I have setup the logging. It looks like this is happening every couple of days. I may or may not see log entries soon as I have changed the password for the domain admin to a pretty secure and pretty random password. If it's another account, I should definitely see it soon.
Thanks again! I should have some sort of results by the end of the week.
Thanks! I have setup the logging. It looks like this is happening every couple of days. I may or may not see log entries soon as I have changed the password for the domain admin to a pretty secure and pretty random password. If it's another account, I should definitely see it soon.
Thanks again! I should have some sort of results by the end of the week.
ASKER
alanhardisty
Sorry...let me clarify some other points. This must be "authenticated relaying" as the source address is not within my domain and the emails are not NDRs. For inbound emails, our Barracuda does the authenticating and rejecting of invalid recipients.
Sorry...let me clarify some other points. This must be "authenticated relaying" as the source address is not within my domain and the emails are not NDRs. For inbound emails, our Barracuda does the authenticating and rejecting of invalid recipients.
Well - if the Barracuda is authenticating the users - it presumably can still authenticate a spammer who has brute force attacked your system and obtained a username / password combo on a weak password account.
Do you allow Authenticated SMTP mail into your network, or just anonymous mail?
If you allow any form of authentication, then due to the Barracuda, increasing the logging on Windows probably won't help.
Can you increase the logging on the Barracuda?
Of course - it could always be a user using RPC over HTTPS with an infection too or an infected local computer.
Alan
Do you allow Authenticated SMTP mail into your network, or just anonymous mail?
If you allow any form of authentication, then due to the Barracuda, increasing the logging on Windows probably won't help.
Can you increase the logging on the Barracuda?
Of course - it could always be a user using RPC over HTTPS with an infection too or an infected local computer.
Alan
ASKER
The logs show an external IP address as the source, though. Does that make a difference?
Okay - if the external IP is the source, then someone external to your network is spamming via your server using a username / password to authenticate.
If you can't use the Barracuda logs to show which account is being used, then you might be faced with resetting ALL the passwords on your server, which will either be painful or not too bad, but necessary to put a stop to this attack.
If you can't use the Barracuda logs to show which account is being used, then you might be faced with resetting ALL the passwords on your server, which will either be painful or not too bad, but necessary to put a stop to this attack.
ASKER
I have about 65 users. If they gotta reset passwords, they gotta reset passwords. They are already on 90 day passwords with complexity rules in place (which is what leads me to believe it may be an administrative account). If the admin account is the case, I shouldn't see any more of this in the next few days. If it is someone else's account, it will be education time yet again. I should know by the weekend if this is fixed or not.
Thanks again!
Thanks again!
You are welcome - at least you don't have 2,000+ accounts : )
If the users are on 90 day / complex passwords - then you might find a random account like admin / backup / or something as you say being used for admin purposes that has bypassed the stringent security measures and got picked off by a hacker.
I have been disabling Basic & Integrated Windows Authentication for all the servers I look after to prevent this form of attack (seen it way too may times to want to see one again - very messy).
Good luck.
Alan
If the users are on 90 day / complex passwords - then you might find a random account like admin / backup / or something as you say being used for admin purposes that has bypassed the stringent security measures and got picked off by a hacker.
I have been disabling Basic & Integrated Windows Authentication for all the servers I look after to prevent this form of attack (seen it way too may times to want to see one again - very messy).
Good luck.
Alan
ASKER
Just as an update. It's Friday, still no SPAM flooding.
Setting the MSExchangeTransport logging of "Authentication" to maximun should log any authentication into the Security logs in the Event Viewer, correct? I haven't had any entries since 3/5/2011. Is that normal?
Setting the MSExchangeTransport logging of "Authentication" to maximun should log any authentication into the Security logs in the Event Viewer, correct? I haven't had any entries since 3/5/2011. Is that normal?
Good news! Logging in Exchange won't show anything if your users are being authenticated on the Barracuda device - so it would seem that whatever passwords you have changed so far included the account that was being abused.
ASKER
I know the Barracuda wasn't where the login was occuring since the Exchange queues were backing up. Still clean today, looks like the password change did it. I'll still keep an eye out, but I think we're good to go. If not, I should get something in the security logs.
Thanks a bunch!!!
Thanks a bunch!!!
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
It should be restricted first.
Shaba