Solved

User Sending SPAM, Trying to Find Cause

Posted on 2012-04-04
7
1,176 Views
Last Modified: 2012-04-04
there is a user at our office sending spam.  On the Exchange 2010 Server, there is no relaying.  I tested this with MXToolbox.  Also on the server, ForeFront for Exchange is running.  I verified that MASS Sender and other spam creating software was not present on the server or on the workstation.

The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.

The latest group of error messages coming in looks like this:
----------------------------------------

From: MAILER-DAEMON@yahoo.com [MAILER-DAEMON@yahoo.com]
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice

Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<jmichaeltaylor@btinternet.com>:
deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <xxx@yyy.com>
Return-Path: <xxx@yyy.com>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of yyy.com)
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9YNw1Fl0rzDROxqp9loqNlVa
 1iZKCLhNU_kpiKhZoCYadXXQkrHIkERLjDnuLY1ZL6Q1HJSh_3k6E6taHNCY
 eVpMFPIOMBFcxlhjHjIcalH3pC.q37sfGRVMMuLDHXFVsSuZdzuBhvIJKRoo
 B5S3vR1XTrTichzBWdSMdCOxjpFKDVjq2DBRQu5rkZ2npWir8Gv9hbiDAuJh
 OPP_AD6KuvouWmZUKsR9QTogjjMzXxrTAvMMRvtKTJQYDcvqplF5f92VwZqm
 bRlMzEh..QZtam16vQiGq3SUOXXm.MgMRxqFmTcGL3bJtCNz1lp36EMUJ8Cj
 tnu73J3w0hjFuyskYY_5RPqg2mi3YqLBxFWvJGbp3gMdE7IKZBny10FjcvUi
 wjbYaxnqPjSM4QN6LiADu8A-
X-Originating-IP: [99.23.52.238]
Authentication-Results: mta1025.bt.mail.ird.yahoo.com  from=yyy.com; domainkeys=neutral (no sig);  from=yyy.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO lawserv3.barton-larson.local) (99.23.52.238)
  by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.local
 (192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <xxx@yyy.com>
To: <jmichaeltaylor@btinternet.com>
Message-ID: <CHILKAT-MID-31cda581-6236-9dd8-4a0b-8ec3f0dafef6@serverin>
Return-Path: xxx@yyy.com


-------------------------------------------------------------

Is the NDR itself the SPAM?  From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.

Or is the user sending the SPAM from another application on their workstation?

Any help on this is greatly appreciated.

Thank you.
0
Comment
Question by:tedwill
7 Comments
 
LVL 6

Accepted Solution

by:
jacobstewart earned 250 total points
ID: 37807994
why not just change her domain password and be done with it?
0
 

Author Comment

by:tedwill
ID: 37808083
It seems like the SPAM was coming from the outside and using either no credentials or credentials with nothing to do with her windows authentication.
0
 
LVL 2

Expert Comment

by:jpvargassoruco
ID: 37808165
The user is sending the spam, reboot the PC in safe mode and run a full antivirus scan, be sure to update your antivirus before.
Or enable a firewall and check which processes are connecting to the network.
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 250 total points
ID: 37808536
The telltale lines in that trace are these:

Received: from 127.0.0.1  (EHLO lawserv3.barton-larson.local) (99.23.52.238)
  by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.local
 (192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400

Open in new window


The lower "Received" clause indicates your server received that message from a computer calling itself "serverin", at IP 95.225.151.32. A reverse DNS lookup on that address indicates it is registered to telecomitalia, presumably for one of their customers:

32.151.225.95.in-addr.arpa      name = host32-151-static.225-95-b.business.telecomitalia.it

The first line simply indicates that the message was relayed through your server to Yahoo.

If you are positive anonymous relaying is disabled, then you have a compromised user account on your system. The default receive connectors in Exchange 2010 should only permit an authenticated user to relay as their own email address. As the previous guys have said, you need to get that user's password changed ASAP and tidy up your queues of any email waiting to go out.

-Matt
0
 

Author Closing Comment

by:tedwill
ID: 37808841
Thanks!
0
 

Author Comment

by:tedwill
ID: 37808907
Matt and Jacob -

Thanks for all your help.  It was such an easy solution.  I remember when Exchange 2000 and prior were open to relaying by default and once I knew that Exchange 2010 was not, I stopped looking at an internal issue.  The minute I changed her password, the SPAM stopped.  Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password.  She's an attorney and she's pretty good about not giving out passwords.

I appreciate you both pointing me in the right direction.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 37808967
Ted,

Not a problem at all. I'm glad the problem is sorted.

>> Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password

There are any number of methods they can use these days to obtain a password. Chances are, this was some automated mechanism which was used to guess it. Chances are even more that it's someone external who is not known to the user or the company - they're just an opportunist. A brute force attack against your mail server/OWA login page is possible, or perhaps some keylogging software on an external computer which snatched the password when she logged in to her email. (This would still require someone to link OWA with the SMTP relay, though). Consider hardening the system a little with account lockout policies - lock an account for 30 minutes after X number of wrong passwords. This essentially stops a brute-force attack in its tracks.

Another problem I see quite often is a lack of encryption on the OWA access - or any other service published to the Internet which requests logon details. Not only should such connections be encrypted to ensure the credentials are securely passed to the server from foreign networks, it also means all the company-sensitive data which flows over those connections will not be privy to the eyes of unauthorised people. I would certainly check out OWA to ensure a certificate is in place and that HTTPS access is enforced (just publish port 443, and not 80, which forces people to use the secure route!).

-Matt
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now