Spam
Hello,
Somehow, an intruder, or a malware for that matter, managed to send loads of emails from my Exchange server. Fortunately, no one got harmed; unfortunately, except us!
Our email security host stopped our account because all of those emails were sent to them first, before being declined delivery as the emails' addresses were bogus. Below is the header of one of those emails, which I hope would tell part, if not all, of the story:
Received: from User ([200.207.87.225]) by ExchangeSrv.alfouadmkma.co
Mon, 21 May 2012 15:55:19 +0300
Reply-To: <personalemail206@gmail.co
From: "Mrs. Faith Williams"<n0_reply@e-mailu
Subject: CAN I TRUST YOU?tst
Date: Mon, 21 May 2012 09:59:32 -0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding:
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: n0_reply@e-mailusa.info
Message-ID: <EXCHANGESRVNO84T3wL000002
X-OriginalArrivalTime: 21 May 2012 12:55:20.0097 (UTC) FILETIME=[FA5DB910:01CD375
I have a number of questions here:
1 – Does the header above tell anything as to how the attack was first launched?
2 – Can it be told whether the attack has originated from an infected client in the network or from Exchange server itself.
3 – Is there any technique in Exchange to stop such emails from being sent in the first place?
Kindly do not answer if you are not an expert and have sufficient knowledge in the matter.
Regards
Yahya
Somehow, an intruder, or a malware for that matter, managed to send loads of emails from my Exchange server. Fortunately, no one got harmed; unfortunately, except us!
Our email security host stopped our account because all of those emails were sent to them first, before being declined delivery as the emails' addresses were bogus. Below is the header of one of those emails, which I hope would tell part, if not all, of the story:
Received: from User ([200.207.87.225]) by ExchangeSrv.alfouadmkma.co
Mon, 21 May 2012 15:55:19 +0300
Reply-To: <personalemail206@gmail.co
From: "Mrs. Faith Williams"<n0_reply@e-mailu
Subject: CAN I TRUST YOU?tst
Date: Mon, 21 May 2012 09:59:32 -0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding:
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: n0_reply@e-mailusa.info
Message-ID: <EXCHANGESRVNO84T3wL000002
X-OriginalArrivalTime: 21 May 2012 12:55:20.0097 (UTC) FILETIME=[FA5DB910:01CD375
I have a number of questions here:
1 – Does the header above tell anything as to how the attack was first launched?
2 – Can it be told whether the attack has originated from an infected client in the network or from Exchange server itself.
3 – Is there any technique in Exchange to stop such emails from being sent in the first place?
Kindly do not answer if you are not an expert and have sufficient knowledge in the matter.
Regards
Yahya
Adam Brown
If n0_reply@e-mailusa.info is the email address and doesn't match your actual domain name, it means your mail server was operating as an open relay. I wrote a blog post on the subject a while back here: http://acbrownit.wordpress.com/2012/05/02/exchange-2010-relaying-how-to-use-it-how-to-turn-it-off/
Possibly not an open relay, the attacker could have brute forced some credential on your network and authenticated to your server to send mail out through it.
If you have SMTP logging turned on, you may well find something there that will help you identify the account that was used (important, if that was the case) and the IP address from which the connection was made (which will tell you if it was a machine inside the network or something outside).
In the header above, it looks like a device at 200.207.87.225 was what originated the email and connected to your Exchange server to send it. Verifying this against the SMTP logs would be nice.
If you have an "email security host," which you appear to also be using as a smart host, I have to think that legitimate inbound email to your domain would come to them first as a public MX record, and then back to your Exchange server. In this case, your receive connector should be configured to only accept connections from the IPs your email security host provides as legitimately theirs. If you have a need to have devices on your network do internal relay, you should make a second "Internal Relay" receive connector, specifying the IPs of the devices which have permission to use it, and with only "Exchange Servers" permission group checked.
If you have SMTP logging turned on, you may well find something there that will help you identify the account that was used (important, if that was the case) and the IP address from which the connection was made (which will tell you if it was a machine inside the network or something outside).
In the header above, it looks like a device at 200.207.87.225 was what originated the email and connected to your Exchange server to send it. Verifying this against the SMTP logs would be nice.
If you have an "email security host," which you appear to also be using as a smart host, I have to think that legitimate inbound email to your domain would come to them first as a public MX record, and then back to your Exchange server. In this case, your receive connector should be configured to only accept connections from the IPs your email security host provides as legitimately theirs. If you have a need to have devices on your network do internal relay, you should make a second "Internal Relay" receive connector, specifying the IPs of the devices which have permission to use it, and with only "Exchange Servers" permission group checked.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
I have read Alan's articles and after investigation, I found this:
Note: Diagnostic logging for Authentication seems to have been set to Maximum for quite a while now. It seems I have forgot to switch it off last time I faced a similar attack. Also, I am not an open relay according to this site http://www.checkor.com/.
1 - Indeed, event ID 1708 is infesting Application log. However, there are two accounts, not one. But, among hundreds of entries of event 1708, only four are for one user account and the rest are for the other account. That account's name is "test" and with an easy password. Also, the Exchange logs show account "test" along with its password against the IP from which the emails were sent. They also show that the client name is "User" (check point 2 below). So, my guess is that this might be the "open gate" through which the hacker came in. Please comment.
2 - The body of the event log entry reads "SMTP Authentication was performed successfully with client "User". The authentication method was "LOGIN" and the username was "MyLocalDomain\test".
In some other entries, the client name changes to "SERVER", "CLONE" and "UserPC". Is this the name of the machine? If yes, I confirm that none of these machine names exist in my Active Directory. Is it so that it is a remote attack? Please comment.
3 – I also found a wealth of NDRs (in the Queue folder on the hard disk) queued for sending from postmaster@mydomain.com to simon@capital-bd.com. These NDRs state that delivery to victim(s)@domain(s).com failed. simon@capital-bd.com is the email address used to send spam to loads of victim recipients from my server.
I believe this is not the type of NDRs referred to in the article, which are called Backscatter. In my case, all NDR's are going out to a single email address that the emails they have sent failed to deliver.
4 – After cleaning logs, deleting test account, restarting SMTP service and while writing this reply, some 1669 NDRs queued again (in ESM) to the same email address. The weird thing here is that among those 1669 NDRs, some 600+ have no message ID, subject, sender nor recipient. Also, Queue folder on the hard disk is still empty. Where those NDRs are coming from and where are the actual emails residing? Please comment.
I also need the following information so that I can stop this kind of attacks before it inflicts havoc:
1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?
Regards
Yahya
I have read Alan's articles and after investigation, I found this:
Note: Diagnostic logging for Authentication seems to have been set to Maximum for quite a while now. It seems I have forgot to switch it off last time I faced a similar attack. Also, I am not an open relay according to this site http://www.checkor.com/.
1 - Indeed, event ID 1708 is infesting Application log. However, there are two accounts, not one. But, among hundreds of entries of event 1708, only four are for one user account and the rest are for the other account. That account's name is "test" and with an easy password. Also, the Exchange logs show account "test" along with its password against the IP from which the emails were sent. They also show that the client name is "User" (check point 2 below). So, my guess is that this might be the "open gate" through which the hacker came in. Please comment.
2 - The body of the event log entry reads "SMTP Authentication was performed successfully with client "User". The authentication method was "LOGIN" and the username was "MyLocalDomain\test".
In some other entries, the client name changes to "SERVER", "CLONE" and "UserPC". Is this the name of the machine? If yes, I confirm that none of these machine names exist in my Active Directory. Is it so that it is a remote attack? Please comment.
3 – I also found a wealth of NDRs (in the Queue folder on the hard disk) queued for sending from postmaster@mydomain.com to simon@capital-bd.com. These NDRs state that delivery to victim(s)@domain(s).com failed. simon@capital-bd.com is the email address used to send spam to loads of victim recipients from my server.
I believe this is not the type of NDRs referred to in the article, which are called Backscatter. In my case, all NDR's are going out to a single email address that the emails they have sent failed to deliver.
4 – After cleaning logs, deleting test account, restarting SMTP service and while writing this reply, some 1669 NDRs queued again (in ESM) to the same email address. The weird thing here is that among those 1669 NDRs, some 600+ have no message ID, subject, sender nor recipient. Also, Queue folder on the hard disk is still empty. Where those NDRs are coming from and where are the actual emails residing? Please comment.
I also need the following information so that I can stop this kind of attacks before it inflicts havoc:
1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?
Regards
Yahya
Yes - that is a remote Authenticated Relay Attack.
If you want to stop this for good and make sure it doesn't happen again, follow the advice in my blogs about password security and then remove Integrated Windows and Basic Authentication from your SMTP Virtual Server - it then cannot happen again in the same way.
To empty the queues, you can use aqadmcli.exe
The download link no longer works, but I have a copy of the file if you want one.
Alan
If you want to stop this for good and make sure it doesn't happen again, follow the advice in my blogs about password security and then remove Integrated Windows and Basic Authentication from your SMTP Virtual Server - it then cannot happen again in the same way.
To empty the queues, you can use aqadmcli.exe
The download link no longer works, but I have a copy of the file if you want one.
Alan
ASKER
Hello,
Everything is in order now and I am grateful experts. And yes, I would appreciate a copy of that tool please.
What about these two questions:
1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?
Yahya
Everything is in order now and I am grateful experts. And yes, I would appreciate a copy of that tool please.
What about these two questions:
1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?
Yahya
Good news.
To answer your questions (sorry I missed them earlier):
1. No
2. Not without 3rd party software
File is at http://www.sohotechnology.co.uk/372368_intl_i386_zip.exe
To answer your questions (sorry I missed them earlier):
1. No
2. Not without 3rd party software
File is at http://www.sohotechnology.co.uk/372368_intl_i386_zip.exe
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alan tackled the problem with insight expertise.