mgedlaman
asked on
Putting an end to spam on my network
I am administrating an exchange server that is having problems. There is a ton of spam that seems to be originating from one users computer. We have scanned and cleared his computer of an infection, however, I do not think this is the source of the problem.
I have checked the email headers, and traced it back to some sources:
212.74.220.224
inetnum: 212.74.220.0 - 212.74.221.255netname: MX80L54-REALdescr: inteleca
DHCP real pool L54country: RUadmin-c: VIK-RIPEtech-c: VIK-RIPEstatus: ASSIGNED PAmnt-by: INTELECA-MNTmnt-lower: INTELECA-MNTmnt-routes: INTELECA-MNTsource: RIPE #Filtered
UpdateDelete person: Vitaliy E. Kretininaddress: Russia, Barnaule-mail: V.Kretinin@inteleca.orgpho
route: 212.74.192.0/19descr: inteleca networkdescr: Russia, Barnaulorigin: AS21365mnt-by: INTELECA-MNTsource: RIPE #Filtered
113.162.167.46
inetnum: 113.162.0.0 - 113.162.255.255
netname: VNPT-NET
country: vn
descr: IP ADSL static + Cable TV, VoIP VPN
descr: MPLS Leased Line, Data Center , MANE Ha Noi
admin-c: VIG1-AP
tech-c: VIG1-AP
status: ALLOCATED NON-PORTABLE
changed: hm-changed@vnnic.net.vn 20100728
mnt-by: MAINT-VN-VNPT
source: APNIC
route: 113.162.160.0/19
descr: VietNam Post and Telecom Corporation (VNPT)
descr: VNPT-AS-AP
country: VN
origin: AS45899
remarks: mailto: noc@vnn.vn
notify: hm-changed@vnnic.net.vn
mnt-by: MAINT-VN-VNPT
changed: hm-changed@vnnic.net.vn 20100810
source: APNIC
role: VDC IPADMIN GROUP
address: Internet Building, Block II, Thang Long Inter Village
address: Nguyen Phong Sac str, Cau Giay Dist, Ha Noi
country: VN
phone: +84-912-800008
fax-no: +84-4-9430427
e-mail: hathm@vdc.com.vn
trouble: send spam reports to abuse@vdc.com.vn
trouble: and abuse reports to abuse@vnn.vn
admin-c: THMH1-AP
tech-c: THMH1-AP
nic-hdl: VIG1-AP
notify: hm-changed@vnnic.net.vn
mnt-by: MAINT-VN-VNPT
changed: hm-changed@vnnic.net.vn 20090325
source: APNIC
route: 212.74.220.0/22descr: inteleca-hnet-nskorigin: AS21365mnt-by: INTELECA-MNTsource: RIPE #Filtered
There's about 30+ of these a day to appear like they're coming from one user on the internal exchange 2010 server.
They're from a ton of different sources.
My config at this location:
Exchange 2010
Server 2008 R2
GFI Essentials (not up to date yet, applying patch later today)
Most windows updates are complete
AVG Mail Server edition 2011 is installed and up to date (we have a licence for 2012, I have to install this)
I'm unsure as to what to do at this point. What sort of email spam is this? (it's usually about foreign brides, or viagra, etc.). Spoofing?
I have checked the email headers, and traced it back to some sources:
212.74.220.224
inetnum: 212.74.220.0 - 212.74.221.255netname: MX80L54-REALdescr: inteleca
DHCP real pool L54country: RUadmin-c: VIK-RIPEtech-c: VIK-RIPEstatus: ASSIGNED PAmnt-by: INTELECA-MNTmnt-lower: INTELECA-MNTmnt-routes: INTELECA-MNTsource: RIPE #Filtered
UpdateDelete person: Vitaliy E. Kretininaddress: Russia, Barnaule-mail: V.Kretinin@inteleca.orgpho
route: 212.74.192.0/19descr: inteleca networkdescr: Russia, Barnaulorigin: AS21365mnt-by: INTELECA-MNTsource: RIPE #Filtered
113.162.167.46
inetnum: 113.162.0.0 - 113.162.255.255
netname: VNPT-NET
country: vn
descr: IP ADSL static + Cable TV, VoIP VPN
descr: MPLS Leased Line, Data Center , MANE Ha Noi
admin-c: VIG1-AP
tech-c: VIG1-AP
status: ALLOCATED NON-PORTABLE
changed: hm-changed@vnnic.net.vn 20100728
mnt-by: MAINT-VN-VNPT
source: APNIC
route: 113.162.160.0/19
descr: VietNam Post and Telecom Corporation (VNPT)
descr: VNPT-AS-AP
country: VN
origin: AS45899
remarks: mailto: noc@vnn.vn
notify: hm-changed@vnnic.net.vn
mnt-by: MAINT-VN-VNPT
changed: hm-changed@vnnic.net.vn 20100810
source: APNIC
role: VDC IPADMIN GROUP
address: Internet Building, Block II, Thang Long Inter Village
address: Nguyen Phong Sac str, Cau Giay Dist, Ha Noi
country: VN
phone: +84-912-800008
fax-no: +84-4-9430427
e-mail: hathm@vdc.com.vn
trouble: send spam reports to abuse@vdc.com.vn
trouble: and abuse reports to abuse@vnn.vn
admin-c: THMH1-AP
tech-c: THMH1-AP
nic-hdl: VIG1-AP
notify: hm-changed@vnnic.net.vn
mnt-by: MAINT-VN-VNPT
changed: hm-changed@vnnic.net.vn 20090325
source: APNIC
route: 212.74.220.0/22descr: inteleca-hnet-nskorigin: AS21365mnt-by: INTELECA-MNTsource: RIPE #Filtered
There's about 30+ of these a day to appear like they're coming from one user on the internal exchange 2010 server.
They're from a ton of different sources.
My config at this location:
Exchange 2010
Server 2008 R2
GFI Essentials (not up to date yet, applying patch later today)
Most windows updates are complete
AVG Mail Server edition 2011 is installed and up to date (we have a licence for 2012, I have to install this)
I'm unsure as to what to do at this point. What sort of email spam is this? (it's usually about foreign brides, or viagra, etc.). Spoofing?
ASKER
Also, how do I prevent our server from becoming "infected" and start spamming out other companies?
ASKER
I noticed his password is also pretty weak (4 numbers followed by 4 letters, all lower cased, no symbols). Could this also be the source of the problem?
ASKER
one suggestion was SPF, I'm looking for a manual now to see if it's already setup (perhaps incorrectly), or not.
Firstly have you checked for your server being an open relay?
Do exchange logs show the email originating internally?
Can you verify the above?
Do exchange logs show the email originating internally?
Can you verify the above?
ASKER
I have confirmed with a web service that it is not a relay open to the rest of the internet.
Yes, the exchange logs show it coming from his email address, however the client IP and hostname do not match his computer information.
I tracked the IP address to Poland...and his computer is here in Canada...
Yes, the exchange logs show it coming from his email address, however the client IP and hostname do not match his computer information.
I tracked the IP address to Poland...and his computer is here in Canada...
ASKER
Thank you for responding. In the meantime, I have spoken to GFI support and setup their SPF record support as it was not turned on. Also, I noticed that all internal email addresses were whitelisted.
For startes, I would change that users password. Their account may have been comprosmised and spam senders would be able to send email through your server as if they were that user.........
what does mxtoolbox.com smtp diagnostics return?
what does mxtoolbox.com smtp diagnostics return?
ASKER
Thank you, I will do.
OK - 204.191.xxx.xx resolves to mail.xxx.ca
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
5.445 seconds - Warning on Transaction time
OK - 204.191.xxx.xx resolves to mail.xxx.ca
Warning - Reverse DNS does not match SMTP Banner
0 seconds - Good on Connection time
Not an open relay.
5.445 seconds - Warning on Transaction time
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I second Neilsr. Spoofed email is hard to kill unless you use enforce SPF lookups. Then, you can set GFI or any other mail filter to _only_ receive mail from your domain if it is sent from a valid IP address or FQDN listed in your DNS TXT record for SPF.
This, of course, means that other messages using your domain will be booted. This could be from home users, remote admin services, firewall devices, web page referrals where you type your address as the 'from', e-commerce servers not explicitly listed in your DNS.
GFI does whitelist your existing users by default. I suspended RBL filtering for a couple of days, and I've been deluged by spam from myself...looking for love in all the wrong places.
RBLs are one way to block SMTP traffic before message delivery, but they can block people from whom you _do_ want mail, but happened to be blacklisted for a temporary virus, or collateral damage when larger subnets are listed. When you reject the traffic before SMTP, there is no "spam box" into which you can search for missing messages. They just don't show up, and your users (and customers/vendors) won't know why.
This, of course, means that other messages using your domain will be booted. This could be from home users, remote admin services, firewall devices, web page referrals where you type your address as the 'from', e-commerce servers not explicitly listed in your DNS.
GFI does whitelist your existing users by default. I suspended RBL filtering for a couple of days, and I've been deluged by spam from myself...looking for love in all the wrong places.
RBLs are one way to block SMTP traffic before message delivery, but they can block people from whom you _do_ want mail, but happened to be blacklisted for a temporary virus, or collateral damage when larger subnets are listed. When you reject the traffic before SMTP, there is no "spam box" into which you can search for missing messages. They just don't show up, and your users (and customers/vendors) won't know why.
ASKER
So, what you two are saying is that, I can setup the SPF which should help some, but if I set the settings too high, then I will end up screwing myself?
What about contacting the administrators that are looking after the systems that are sending the spam? Are they looking after compromised systems?, or, are they the ones that are responsible?
What about contacting the administrators that are looking after the systems that are sending the spam? Are they looking after compromised systems?, or, are they the ones that are responsible?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Neilsr for sticking in with me, and thank you goes to Aleghart for finishing up in the end.
Good advice gentlemen :)
Sorry for taking my sweet time to get back to you. With the password change, and turning on the GFI SPF, life is good now :)
Good advice gentlemen :)
Sorry for taking my sweet time to get back to you. With the password change, and turning on the GFI SPF, life is good now :)
ASKER