If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.
User Sending SPAM, Trying to Find Cause
there is a user at our office sending spam. On the Exchange 2010 Server, there is no relaying. I tested this with MXToolbox. Also on the server, ForeFront for Exchange is running. I verified that MASS Sender and other spam creating software was not present on the server or on the workstation.
The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.
The latest group of error messages coming in looks like this:
--------------------------
From: MAILER-DAEMON@yahoo.com [MAILER-DAEMON@yahoo.com]
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice
Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<jmichaeltaylor@btinternet
deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.
--- Below this line is a copy of the message.
Return-Path: <xxx@yyy.com>
Return-Path: <xxx@yyy.com>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of yyy.com)
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9Y
1iZKCLhNU_kpiKhZoCYadXXQkr
eVpMFPIOMBFcxlhjHjIcalH3pC
B5S3vR1XTrTichzBWdSMdCOxjp
OPP_AD6KuvouWmZUKsR9QTogjj
bRlMzEh..QZtam16vQiGq3SUOX
tnu73J3w0hjFuyskYY_5RPqg2m
wjbYaxnqPjSM4QN6LiADu8A-
X-Originating-IP: [99.23.52.238]
Authentication-Results: mta1025.bt.mail.ird.yahoo.
Received: from 127.0.0.1 (EHLO lawserv3.barton-larson.loc
by mta1025.bt.mail.ird.yahoo.
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.loc
(192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding:
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <xxx@yyy.com>
To: <jmichaeltaylor@btinternet
Message-ID: <CHILKAT-MID-31cda581-6236
Return-Path: xxx@yyy.com
--------------------------
Is the NDR itself the SPAM? From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.
Or is the user sending the SPAM from another application on their workstation?
Any help on this is greatly appreciated.
Thank you.
The main reason that I believe the user has been compromised is the large number of emails she's receiving with NDRs and other non delivery issues.
The latest group of error messages coming in looks like this:
--------------------------
From: MAILER-DAEMON@yahoo.com [MAILER-DAEMON@yahoo.com]
Sent: Wednesday, April 04, 2012 9:56 AM
To: xxx
Subject: failure notice
Hi. This is the qmail-send program at yahoo.com.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
<jmichaeltaylor@btinternet
deferring multiple deliveries to same user /I'm not going to try again; this message has been in the queue too long.
--- Below this line is a copy of the message.
Return-Path: <xxx@yyy.com>
Return-Path: <xxx@yyy.com>
Received-SPF: temperror (encountered temporary error during SPF processing of domain of yyy.com)
X-YMailISG: W4z_AFMWLDsojBD8H21Kr2qZ9Y
1iZKCLhNU_kpiKhZoCYadXXQkr
eVpMFPIOMBFcxlhjHjIcalH3pC
B5S3vR1XTrTichzBWdSMdCOxjp
OPP_AD6KuvouWmZUKsR9QTogjj
bRlMzEh..QZtam16vQiGq3SUOX
tnu73J3w0hjFuyskYY_5RPqg2m
wjbYaxnqPjSM4QN6LiADu8A-
X-Originating-IP: [99.23.52.238]
Authentication-Results: mta1025.bt.mail.ird.yahoo.
Received: from 127.0.0.1 (EHLO lawserv3.barton-larson.loc
by mta1025.bt.mail.ird.yahoo.
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.loc
(192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
08:56:04 -0400
MIME-Version: 1.0
Date: Tue, 3 Apr 2012 14:53:32 +0200
X-Priority: 3 (Normal)
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding:
Subject: upon and soaked That does the underbrush gestured reached hood, now. It of day and her, this
From: <xxx@yyy.com>
To: <jmichaeltaylor@btinternet
Message-ID: <CHILKAT-MID-31cda581-6236
Return-Path: xxx@yyy.com
--------------------------
Is the NDR itself the SPAM? From the looks of it, the perpertrators accessed the local Exchange server since they have the internal IP address.
Or is the user sending the SPAM from another application on their workstation?
Any help on this is greatly appreciated.
Thank you.
Who is Participating?
It seems like the SPAM was coming from the outside and using either no credentials or credentials with nothing to do with her windows authentication.
The user is sending the spam, reboot the PC in safe mode and run a full antivirus scan, be sure to update your antivirus before.
Or enable a firewall and check which processes are connecting to the network.
Or enable a firewall and check which processes are connecting to the network.
The telltale lines in that trace are these:
The lower "Received" clause indicates your server received that message from a computer calling itself "serverin", at IP 95.225.151.32. A reverse DNS lookup on that address indicates it is registered to telecomitalia, presumably for one of their customers:
32.151.225.95.in-addr.arpa
The first line simply indicates that the message was relayed through your server to Yahoo.
If you are positive anonymous relaying is disabled, then you have a compromised user account on your system. The default receive connectors in Exchange 2010 should only permit an authenticated user to relay as their own email address. As the previous guys have said, you need to get that user's password changed ASAP and tidy up your queues of any email waiting to go out.
-Matt
Received: from 127.0.0.1 (EHLO lawserv3.barton-larson.local) (99.23.52.238)
by mta1025.bt.mail.ird.yahoo.com with SMTP; Tue, 03 Apr 2012 12:53:51 +0000
Received: from serverin (95.225.151.32) by lawserv3.barton-larson.local
(192.168.1.4) with Microsoft SMTP Server id 14.1.355.2; Tue, 3 Apr 2012
08:56:04 -0400
The lower "Received" clause indicates your server received that message from a computer calling itself "serverin", at IP 95.225.151.32. A reverse DNS lookup on that address indicates it is registered to telecomitalia, presumably for one of their customers:
32.151.225.95.in-addr.arpa
The first line simply indicates that the message was relayed through your server to Yahoo.
If you are positive anonymous relaying is disabled, then you have a compromised user account on your system. The default receive connectors in Exchange 2010 should only permit an authenticated user to relay as their own email address. As the previous guys have said, you need to get that user's password changed ASAP and tidy up your queues of any email waiting to go out.
-Matt
Matt and Jacob -
Thanks for all your help. It was such an easy solution. I remember when Exchange 2000 and prior were open to relaying by default and once I knew that Exchange 2010 was not, I stopped looking at an internal issue. The minute I changed her password, the SPAM stopped. Her password though not very complex is not something easy to guess. I wonder how the SPAMMer got her Windows password. She's an attorney and she's pretty good about not giving out passwords.
I appreciate you both pointing me in the right direction.
Thanks for all your help. It was such an easy solution. I remember when Exchange 2000 and prior were open to relaying by default and once I knew that Exchange 2010 was not, I stopped looking at an internal issue. The minute I changed her password, the SPAM stopped. Her password though not very complex is not something easy to guess. I wonder how the SPAMMer got her Windows password. She's an attorney and she's pretty good about not giving out passwords.
I appreciate you both pointing me in the right direction.
Ted,
Not a problem at all. I'm glad the problem is sorted.
>> Her password though not very complex is not something easy to guess. I wonder how the SPAMMer got her Windows password
There are any number of methods they can use these days to obtain a password. Chances are, this was some automated mechanism which was used to guess it. Chances are even more that it's someone external who is not known to the user or the company - they're just an opportunist. A brute force attack against your mail server/OWA login page is possible, or perhaps some keylogging software on an external computer which snatched the password when she logged in to her email. (This would still require someone to link OWA with the SMTP relay, though). Consider hardening the system a little with account lockout policies - lock an account for 30 minutes after X number of wrong passwords. This essentially stops a brute-force attack in its tracks.
Another problem I see quite often is a lack of encryption on the OWA access - or any other service published to the Internet which requests logon details. Not only should such connections be encrypted to ensure the credentials are securely passed to the server from foreign networks, it also means all the company-sensitive data which flows over those connections will not be privy to the eyes of unauthorised people. I would certainly check out OWA to ensure a certificate is in place and that HTTPS access is enforced (just publish port 443, and not 80, which forces people to use the secure route!).
-Matt
Not a problem at all. I'm glad the problem is sorted.
>> Her password though not very complex is not something easy to guess. I wonder how the SPAMMer got her Windows password
There are any number of methods they can use these days to obtain a password. Chances are, this was some automated mechanism which was used to guess it. Chances are even more that it's someone external who is not known to the user or the company - they're just an opportunist. A brute force attack against your mail server/OWA login page is possible, or perhaps some keylogging software on an external computer which snatched the password when she logged in to her email. (This would still require someone to link OWA with the SMTP relay, though). Consider hardening the system a little with account lockout policies - lock an account for 30 minutes after X number of wrong passwords. This essentially stops a brute-force attack in its tracks.
Another problem I see quite often is a lack of encryption on the OWA access - or any other service published to the Internet which requests logon details. Not only should such connections be encrypted to ensure the credentials are securely passed to the server from foreign networks, it also means all the company-sensitive data which flows over those connections will not be privy to the eyes of unauthorised people. I would certainly check out OWA to ensure a certificate is in place and that HTTPS access is enforced (just publish port 443, and not 80, which forces people to use the secure route!).
-Matt
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
