We help IT Professionals succeed at work.

How to stop Exchange attack

Hi Experts,

Someone or something is attempting to use our exchange server to send out spam... after turning on logging it is showing a stack of Event:7002 failures in the Application event log.

"This is an SMTP protocol warning log for virtual server ID 1, connection #25. The remote host "216.228.104.16", responded to the SMTP command "rcpt" with "450 4.1.1 <sfb@ncol.net>: Recipient address rejected: User unknown in local recipient table  ". The full command sent was "RCPT TO:<sfb@ncol.net>  ".  This may cause the connection to fail.
Ran virus check all clear."

I now others in EE have had this but the results seem to be not what I am after.

I have checked we are not an open relay. via Network Abuse Clearing House and also run various options via the following link -
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp


What can I do to stop this from happening? As there is a stack of entries in the smtp que

thanks in advance.

Comment
Watch Question

Commented:
I think, some application within your organization is trying to relay mails using your Exchange server. Since, you have enabled SMTP logging, you should know the source machine that is initiating the request.

I believe you are allowing only authenticated users and whitelisted machines to relay using SMTP Virtual server. If yes, check whether the source machine IP address is whitelisted by any chance. Go ahead and remove it from whitelist.
Looks like someone is running a dictionary attack to get a list of all possible user accounts on your domain. Do you have anyone with the e-mail address of sfb@ncol.net?

I don't think there's much you can do on the Exchange server. I would block the IP address  216.228.104.16 on the router so the SMTP requests don't hit the Exchange server. A better long-term solution is to implement a mail gateway device like Cisco IronPort to filter out these things even before they hit the servers.
AndrewPartner

Author

Commented:
Paarun - I couldnt see a particular machine that is sending with the App logs will have another look later today when back on site.

Multifunctional - No we dont have that address and that was just an example there are so many different ones but they all appear to be failing. But what worries me if some are getting out and we suddenly get ourselves on a blacklist, that happed to me once before and it was a nightmare for about a week.

What they are doing as well is they have a couple of our email addresses and sending spam through to each of the users within the organisation as well.

We have untangle as the UTM and stops most the spamcoming in but one particular internal address gets hammered and a bit has been getting through of late to that address through untangle..

Maybe I need to look at a mail gateway solution as you suggest wasnt aware of the Cisco is GFI mailessentials any good and would they work in with untangle?
They shouldn't be able to get out if you don't have open relay enabled, but I would block those IP addresses on the firewall/router and watch the queue closely.

Yes, Cisco IronPorts are great, so are Barracuda mail gateways. For incoming mail, you basically point your MX records to the appliance (IronPort or Barracuda), and the appliance to your Exchange server. IronPort, for example, scans with McAfee and Sophos, also does all kinds of spam filtering checks (RDNS, heuristic, public blacklists, etc), For outgoing, you point your Exchange send connectors to the appliance (as a smart host), which runs all those scans before sending them out. You can also implement TLS encryption right on the device. Users can access the quarantined items through a web interface (AD integrated).

I have never used GFI, so I don't know, but they work well with hosted solutions such as Postini, MX Logic, or Global relay, although they won't be necessary unless you are required to have your mails archived by a third party (ex. SEC regulations).

Hope this helps.

add the IP address to the blocklistin your gateway.
AndrewPartner

Author

Commented:
Have attached some errors within the log should I be concerned ?

h4x0r_007 - its not just one address and it seems to change on a regular basis suchas an example as attached any thoguhts Error 7010
multifunctional: - Definitely something to think about thanks. Error 7010 and 7004
They're trying to relay mails through your server, but your SMTP connector doesn't have "relay" enabled, which is the way it should be, so the spammers e-mails shouldn't be going out. Nevertheless, you should block these IP addresses on your firewall.
Commented:
As others have said, you should block the suspecting IP addresses trying to relay mail from your server.

However, if there are many IP addresses and they are changing constantly, that is of course not a very good solution, as it demands extra manual work for IT department.

If your external firewall supports it, you should enable tarpitting and throttling to reduce the speed of how often and how many SNTP requests you are allowing for each individual IP address. If your firewall don't support, you can also tune Exchange 2010 built-in support for tarpitting: http://technet.microsoft.com/en-us/library/bb123891.aspx

If you have very large amounts of legitim email traffic, you would be better with a Barracuda box or something similar, as they will stop 99% of those attempts before the traffic is even hitting your Exchange server. As an email admin for some years, I would say Barracuda is the best anti-spam appliance, but its also pretty expensive.  
AndrewPartner

Author

Commented:
Thanks for your expert advice.... as we are currently running exchange 2003 we are looking at an upgrading to SBS2011 in the new year and we might look at a new antispam solution as well.

I dont think the free untangle version is working as well as it used so maybe time to move on thanks again for you help I have awarded points accordingly thanks again.