Avatar of Yba02
Yba02
Flag for Saudi Arabia asked on

Spam

Hello,
Somehow, an intruder, or a malware for that matter, managed to send loads of emails from my Exchange server.  Fortunately, no one got harmed; unfortunately, except us!
Our email security host stopped our account because all of those emails were sent to them first, before being declined delivery as the emails' addresses were bogus.  Below is the header of one of those emails, which I hope would tell part, if not all, of the story:

Received: from User ([200.207.87.225]) by ExchangeSrv.alfouadmkma.com with Microsoft SMTPSVC(6.0.3790.1830);
Mon, 21 May 2012 15:55:19 +0300
Reply-To: <personalemail206@gmail.com>
From: "Mrs. Faith Williams"<n0_reply@e-mailusa.info>
Subject: CAN I TRUST YOU?tst
Date: Mon, 21 May 2012 09:59:32 -0300
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: n0_reply@e-mailusa.info
Message-ID: <EXCHANGESRVNO84T3wL000002c2@ExchangeSrv.alfouadmkma.com>
X-OriginalArrivalTime: 21 May 2012 12:55:20.0097 (UTC) FILETIME=[FA5DB910:01CD3750]


I have a number of questions here:
1 – Does the header above tell anything as to how the attack was first launched?
2 – Can it be told whether the attack has originated from an infected client in the network or from Exchange server itself.
3 – Is there any technique in Exchange to stop such emails from being sent in the first place?

Kindly do not answer if you are not an expert and have sufficient knowledge in the matter.

Regards
Yahya
ExchangeOS Security

Avatar of undefined
Last Comment
Yba02

8/22/2022 - Mon
Adam Brown

If n0_reply@e-mailusa.info is the email address and doesn't match your actual domain name, it means your mail server was operating as an open relay. I wrote a blog post on the subject a while back here: http://acbrownit.wordpress.com/2012/05/02/exchange-2010-relaying-how-to-use-it-how-to-turn-it-off/
ckratsch

Possibly not an open relay, the attacker could have brute forced some credential on your network and authenticated to your server to send mail out through it.

If you have SMTP logging turned on, you may well find something there that will help you identify the account that was used (important, if that was the case) and the IP address from which the connection was made (which will tell you if it was a machine inside the network or something outside).

In the header above, it looks like a device at 200.207.87.225 was what originated the email and connected to your Exchange server to send it. Verifying this against the SMTP logs would be nice.

If you have an "email security host," which you appear to also be using as a smart host, I have to think that legitimate inbound email to your domain would come to them first as a public MX record, and then back to your Exchange server. In this case, your receive connector should be configured to only accept connections from the IPs your email security host provides as legitimately theirs. If you have a need to have devices on your network do internal relay, you should make a second "Internal Relay" receive connector, specifying the IPs of the devices which have permission to use it, and with only "Exchange Servers" permission group checked.
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Yba02

ASKER
Hello,
I have read Alan's articles and after investigation, I found this:
Note: Diagnostic logging for Authentication seems to have been set to Maximum for quite a while now.  It seems I have forgot to switch it off last time I faced a similar attack.  Also, I am not an open relay according to this site http://www.checkor.com/.
1 -  Indeed, event ID 1708 is infesting Application log.  However, there are two accounts, not one.  But, among hundreds of entries of event 1708, only four are for one user account and the rest are for the other account. That account's name is "test" and with an easy password.  Also, the Exchange logs show account "test" along with its password against the IP from which the emails were sent.  They also show that the client name is "User" (check point 2 below). So, my guess is that this might be the "open gate" through which the hacker came in. Please comment.
2 - The body of the event log entry reads "SMTP Authentication was performed successfully with client "User".  The authentication method was "LOGIN" and the username was "MyLocalDomain\test".
In some other entries, the client name changes to "SERVER", "CLONE" and "UserPC".  Is this the name of the machine?  If yes, I confirm that none of these machine names exist in my Active Directory.  Is it so that it is a remote attack?  Please comment.
3 – I also found a wealth of NDRs (in the Queue folder on the hard disk) queued  for sending from postmaster@mydomain.com to simon@capital-bd.com.  These NDRs state that delivery to victim(s)@domain(s).com  failed.  simon@capital-bd.com is the email address used to send spam to loads of victim recipients from my server.
I believe this is not the type of NDRs referred to in the article, which are called Backscatter.  In my case, all NDR's are going out to a single email address that the emails they have sent failed to deliver.
4 – After cleaning logs, deleting test account, restarting SMTP service and while writing this reply, some 1669 NDRs queued again (in ESM) to the same email address.  The weird thing here is that among those 1669 NDRs, some 600+ have no message ID, subject, sender nor recipient.  Also, Queue folder on the hard disk is still empty.  Where those NDRs are coming from and where are the actual emails residing?  Please comment.
I also need the following information so that I can stop this kind of attacks before it inflicts havoc:
1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?

Regards
Yahya
Your help has saved me hundreds of hours of internet surfing.
fblack61
Alan Hardisty

Yes - that is a remote Authenticated Relay Attack.

If you want to stop this for good and make sure it doesn't happen again, follow the advice in my blogs about password security and then remove Integrated Windows and Basic Authentication from your SMTP Virtual Server - it then cannot happen again in the same way.

To empty the queues, you can use aqadmcli.exe

The download link no longer works, but I have a copy of the file if you want one.

Alan
Yba02

ASKER
Hello,
Everything is in order now and I am grateful experts. And yes, I would appreciate a copy of that tool please.

What about these two questions:

1 – Is it possible to limit the number of outbound emails per user over a certain period of time?
2 – Is there a way to have Exchange alert me when Queues inflate?

Yahya
Alan Hardisty

Good news.

To answer your questions (sorry I missed them earlier):

1. No
2. Not without 3rd party software

File is at http://www.sohotechnology.co.uk/372368_intl_i386_zip.exe
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Yba02

ASKER
Alan tackled the problem with insight expertise.