User Sending SPAM, Trying to Find Cause

there is a user at our office sending spam.  On the Exchange 2010 Server, there is no relaying.  I tested this with MXToolbox.  Also on the server, ForeFront for Exchange is running.  I verified that MASS Sender and other spam creating software was not present on the server or on the workstation.

The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.

The latest group of error messages coming in looks like this:
----------------------------------------

From: MAILER-DAEMON@yahoo.com [MAILER-DAEMON@yahoo.com]
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice

Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<jmichaeltaylor@btinternet.com>:
deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <xxx@yyy.com>
Return-Path: <xxx@yyy.com>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of yyy.com)
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9YNw1Fl0rzDROxqp9loqNlVa
 1iZKCLhNU_kpiKhZoCYadXXQkrHIkERLjDnuLY1ZL6Q1HJSh_3k6E6taHNCY
 eVpMFPIOMBFcxlhjHjIcalH3pC.q37sfGRVMMuLDHXFVsSuZdzuBhvIJKRoo
 B5S3vR1XTrTichzBWdSMdCOxjpFKDVjq2DBRQu5rkZ2npWir8Gv9hbiDAuJh
 OPP_AD6KuvouWmZUKsR9QTogjjMzXxrTAvMMRvtKTJQYDcvqplF5f92VwZqm
 bRlMzEh..QZtam16vQiGq3SUOXXm.MgMRxqFmTcGL3bJtCNz1lp36EMUJ8Cj
 tnu73J3w0hjFuyskYY_5RPqg2mi3YqLBxFWvJGbp3gMdE7IKZBny10FjcvUi
 wjbYaxnqPjSM4QN6LiADu8A-
X-Originating-IP: [99.23.52.238]
Authentication-Results: mta1025.bt.mail.ird.yahoo.com  from=yyy.com; domainkeys=neutral (no sig);  from=yyy.com; dkim=neutral (no sig)
Received: from 127.0.0.1  (EHLO lawserv3.barton-larson.local) (99.23.52.238)
  by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.local
 (192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <xxx@yyy.com>
To: <jmichaeltaylor@btinternet.com>
Message-ID: <CHILKAT-MID-31cda581-6236-9dd8-4a0b-8ec3f0dafef6@serverin>
Return-Path: xxx@yyy.com


-------------------------------------------------------------

Is the NDR itself the SPAM?  From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.

Or is the user sending the SPAM from another application on their workstation?

Any help on this is greatly appreciated.

Thank you.
tedwillAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
jacobstewartConnect With a Mentor Commented:
why not just change her domain password and be done with it?
0
 
tedwillAuthor Commented:
It seems like the SPAM was coming from the outside and using either no credentials or credentials with nothing to do with her windows authentication.
0
 
jpvargassorucoCommented:
The user is sending the spam, reboot the PC in safe mode and run a full antivirus scan, be sure to update your antivirus before.
Or enable a firewall and check which processes are connecting to the network.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
tigermattConnect With a Mentor Commented:
The telltale lines in that trace are these:

Received: from 127.0.0.1  (EHLO lawserv3.barton-larson.local) (99.23.52.238)
  by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.local
 (192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
 08:56:04 -0400

Open in new window


The lower "Received" clause indicates your server received that message from a computer calling itself "serverin", at IP 95.225.151.32. A reverse DNS lookup on that address indicates it is registered to telecomitalia, presumably for one of their customers:

32.151.225.95.in-addr.arpa      name = host32-151-static.225-95-b.business.telecomitalia.it

The first line simply indicates that the message was relayed through your server to Yahoo.

If you are positive anonymous relaying is disabled, then you have a compromised user account on your system. The default receive connectors in Exchange 2010 should only permit an authenticated user to relay as their own email address. As the previous guys have said, you need to get that user's password changed ASAP and tidy up your queues of any email waiting to go out.

-Matt
0
 
tedwillAuthor Commented:
Thanks!
0
 
tedwillAuthor Commented:
Matt and Jacob -

Thanks for all your help.  It was such an easy solution.  I remember when Exchange 2000 and prior were open to relaying by default and once I knew that Exchange 2010 was not, I stopped looking at an internal issue.  The minute I changed her password, the SPAM stopped.  Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password.  She's an attorney and she's pretty good about not giving out passwords.

I appreciate you both pointing me in the right direction.
0
 
tigermattCommented:
Ted,

Not a problem at all. I'm glad the problem is sorted.

>> Her password though not very complex is not something easy to guess.  I wonder how the SPAMMer got her Windows password

There are any number of methods they can use these days to obtain a password. Chances are, this was some automated mechanism which was used to guess it. Chances are even more that it's someone external who is not known to the user or the company - they're just an opportunist. A brute force attack against your mail server/OWA login page is possible, or perhaps some keylogging software on an external computer which snatched the password when she logged in to her email. (This would still require someone to link OWA with the SMTP relay, though). Consider hardening the system a little with account lockout policies - lock an account for 30 minutes after X number of wrong passwords. This essentially stops a brute-force attack in its tracks.

Another problem I see quite often is a lack of encryption on the OWA access - or any other service published to the Internet which requests logon details. Not only should such connections be encrypted to ensure the credentials are securely passed to the server from foreign networks, it also means all the company-sensitive data which flows over those connections will not be privy to the eyes of unauthorised people. I would certainly check out OWA to ensure a certificate is in place and that HTTPS access is enforced (just publish port 443, and not 80, which forces people to use the secure route!).

-Matt
0
All Courses

From novice to tech pro — start learning today.