Spam

Yba02
Yba02 used Ask the Experts™
on
Hello,
Somehow, an intruder, or a malware for that matter, managed to send loads of emails from my Exchange server.  Fortunately, no one got harmed; unfortunately, except us!
Our email security host stopped our account because all of those emails were sent to them first, before being declined delivery as the emails' addresses were bogus.  Below is the header of one of those emails, which I hope would tell part, if not all, of the story:

Received: from User ([200.207.87.225]) by ExchangeSrv.alfouadmkma.com with Microsoft SMTPSVC(6.0.3790.1830);
Mon, 21 May 2012 15:55:19 +0300
Reply-To: <personalemail206@gmail.com>
From: "Mrs. Faith Williams"<n0_reply@e-mailusa.info>
Subject: CAN I TRUST YOU?tst
Date: Mon, 21 May 2012 09:59:32 -0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: n0_reply@e-mailusa.info
Message-ID: <EXCHANGESRVNO84T3wL000002c2@ExchangeSrv.alfouadmkma.com>
X-OriginalArrivalTime: 21 May 2012 12:55:20.0097 (UTC) FILETIME=[FA5DB910:01CD3750]


I have a number of questions here:
1 – Does the header above tell anything as to how the attack was first launched?
2 – Can it be told whether the attack has originated from an infected client in the network or from Exchange server itself.
3 – Is there any technique in Exchange to stop such emails from being sent in the first place?

Kindly do not answer if you are not an expert and have sufficient knowledge in the matter.

Regards
Yahya
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
If n0_reply@e-mailusa.info is the email address and doesn't match your actual domain name, it means your mail server was operating as an open relay. I wrote a blog post on the subject a while back here: http://acbrownit.wordpress.com/2012/05/02/exchange-2010-relaying-how-to-use-it-how-to-turn-it-off/

Commented:
Possibly not an open relay, the attacker could have brute forced some credential on your network and authenticated to your server to send mail out through it.

If you have SMTP logging turned on, you may well find something there that will help you identify the account that was used (important, if that was the case) and the IP address from which the connection was made (which will tell you if it was a machine inside the network or something outside).

In the header above, it looks like a device at 200.207.87.225 was what originated the email and connected to your Exchange server to send it. Verifying this against the SMTP logs would be nice.

If you have an "email security host," which you appear to also be using as a smart host, I have to think that legitimate inbound email to your domain would come to them first as a public MX record, and then back to your Exchange server. In this case, your receive connector should be configured to only accept connections from the IPs your email security host provides as legitimately theirs. If you have a need to have devices on your network do internal relay, you should make a second "Internal Relay" receive connector, specifying the IPs of the devices which have permission to use it, and with only "Exchange Servers" permission group checked.
Co-Owner
Top Expert 2011
Commented:
You are probably an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

I have seen this more times than I have had hot dinners!!

Alan
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hello,
I have read Alan's articles and after investigation, I found this:
Note: Diagnostic logging for Authentication seems to have been set to Maximum for quite a while now.  It seems I have forgot to switch it off last time I faced a similar attack.  Also, I am not an open relay according to this site http://www.checkor.com/.
1 -  Indeed, event ID 1708 is infesting Application log.  However, there are two accounts, not one.  But, among hundreds of entries of event 1708, only four are for one user account and the rest are for the other account. That account's name is "test" and with an easy password.  Also, the Exchange logs show account "test" along with its password against the IP from which the emails were sent.  They also show that the client name is "User" (check point 2 below). So, my guess is that this might be the "open gate" through which the hacker came in. Please comment.
2 - The body of the event log entry reads "SMTP Authentication was performed successfully with client "User".  The authentication method was "LOGIN" and the username was "MyLocalDomain\test".
In some other entries, the client name changes to "SERVER", "CLONE" and "UserPC".  Is this the name of the machine?  If yes, I confirm that none of these machine names exist in my Active Directory.  Is it so that it is a remote attack?  Please comment.
3 – I also found a wealth of NDRs (in the Queue folder on the hard disk) queued  for sending from postmaster@mydomain.com to simon@capital-bd.com.  These NDRs state that delivery to victim(s)@domain(s).com  failed.  simon@capital-bd.com is the email address used to send spam to loads of victim recipients from my server.
I believe this is not the type of NDRs referred to in the article, which are called Backscatter.  In my case, all NDR's are going out to a single email address that the emails they have sent failed to deliver.
4 – After cleaning logs, deleting test account, restarting SMTP service and while writing this reply, some 1669 NDRs queued again (in ESM) to the same email address.  The weird thing here is that among those 1669 NDRs, some 600+ have no message ID, subject, sender nor recipient.  Also, Queue folder on the hard disk is still empty.  Where those NDRs are coming from and where are the actual emails residing?  Please comment.
I also need the following information so that I can stop this kind of attacks before it inflicts havoc:
1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?

Regards
Yahya
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Yes - that is a remote Authenticated Relay Attack.

If you want to stop this for good and make sure it doesn't happen again, follow the advice in my blogs about password security and then remove Integrated Windows and Basic Authentication from your SMTP Virtual Server - it then cannot happen again in the same way.

To empty the queues, you can use aqadmcli.exe

The download link no longer works, but I have a copy of the file if you want one.

Alan

Author

Commented:
Hello,
Everything is in order now and I am grateful experts. And yes, I would appreciate a copy of that tool please.

What about these two questions:

1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?

Yahya
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Good news.

To answer your questions (sorry I missed them earlier):

1. No
2. Not without 3rd party software

File is at http://www.sohotechnology.co.uk/372368_intl_i386_zip.exe
Commented:
You can configure a perfmon alert to write to the system log for Exchange 2003 queues:

http://searchexchange.techtarget.com/tip/Use-Performance-Monitor-to-detect-Exchange-2003-message-queue-problems

(free registration required to read articles at techtarget)

Then monitor the event log for that event and alert on it.

Author

Commented:
Alan tackled the problem with insight expertise.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial