• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 875
  • Last Modified:

Company mail server suffering regular spam attacks... Experts, please help!

Experts!

I need your advice on how to resolve an ongoing spam problem that we've been having at work. We have two mail servers, an exchange server and an Imail server. It is our Imail server that is being attacked. We suffer nightly (and sometimes early morning) attacks where around 6,000 spam messages are sent out. This sometimes overloads the Imail queue and legitimate messages can get stuck for hours. This is a huge problem for our customers... and has been causing lots of headaches internally. We've been added to several blacklists which obviously makes things worse still.

I've been analyzing the logs and Imail config and I'm perplexed. We have open relay disabled and I don't believe that there is a compromised account. Recently, the attacker switched domains (we manage around 20). He is now using our hitekautos.com domain to send spam. He spoofs the sender address and then bcc's his victims. We do see a large amount of bad IPs hitting the server (China, Nigeria, Somalia, ect) that are being blocked by maleware-bytes. We're also using several DNS blacklists to try and reduce the spam.

We have a Cisco ASA; port 25 on our mail server is obviously available to the outside. Mail server in question is mail.rde.org

I'm attaching a recent log file that may prove useful to troubleshoot. Experts, can you see anything that will help us nail down the problem? Our mail server IPs are in the 10.1.0.0 /24 range. Internal hosts are in the 10.1.1.0/24 range. Any thoughts on how they are pulling this off and how we can mitigate the attacks?
log.txt
0
coldfirenj
Asked:
coldfirenj
  • 5
  • 4
  • 3
  • +1
2 Solutions
 
coldfirenjAuthor Commented:
Ignore comment... can't delete comments?
0
 
xDUCKxCommented:
You most likely have a compromised workstation/server.  You should run Malwarebytes on all workstations and serves (or relevant Malware removal software if it's not already installed).
0
 
Ben_b3nCommented:
If I may suggest- I'm sure a much better suited expert will hop on this but-

You have a hole somewhere that is allowing them gain access and send blasts out, I would guess a rouge computer/terminal or easy password.

How many workstations do you have will access to them? You would need to run a spyware removal tool on all workstations and I would even run a scan on the server to see if there was a malware piece installed on it.

First I would take all computers off the network and just have the servers up and run a full scan of MalwareBytes. Cure anything that it finds and see if it happens again that night with just the servers online. While the workstations are offline I would do a full MalwareBytes scan on those as well to clean up anything that isn't supposed to be there. Check your firewall settings as well.

I have used something like this in the past- Untangled Box
Built one of these and installed it pre-lan to stop a ton of attacks. It is a very nice Linux based solution that will help in probably a number of ways.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
TI2HeavenCommented:
It seems that you have enable legacy secure SMTP on Imail server. I suggest you to disable because this attackers to skip the ip spoofing check of your firewall.
Block trafic from internet to port 465 on Imail (firewall rule).
Connections between both servers must have at least basic authentication.
Read this article on Wikipedia an pay special attention when talks about legacy secure SMTP
0
 
coldfirenjAuthor Commented:
Thank you all for your input.

@TI2 we will look into this and consider a firewall rule as you suggested. I checked a few packet capture and do not see traffic coming into port 465 though... Can you elaborate a bit on how this allows attackers to skip the ip spoofing check please? I read the wiki article but its not very clear.

@Ben & Duck. We've run maleware-bytes on all workstations and servers. We've also run F-Secure virus scan on all workstations and servers. I will research Untangled box... looks promising. Can you provide anymore info on how that would be deployed Ben. It requires its own server?
0
 
TI2HeavenCommented:
It seems the attacker is using a kind of encrypted connection from internet to your Imail server. And this traffic is not blocked in your firewall.
This kind of connection let the attacker choose it source IP like in any point to point connection. Imail server is using source IP to authenticate the server, so Imail server thinks that the attacker is the Exchange server.

Another possibility is that Imail has a vulnerability that enables the attacker to choose its source ip.
Check you have recent patches

Anyway anonymous communications between both servers should not be allowed.
0
 
coldfirenjAuthor Commented:
@ TI2... Thank you! Can you point to anything specific in the logs that led you to that conclusion?
0
 
Ben_b3nCommented:
@Author
There are a few ways to deploy a Untangle. Because it is requires little processing power, if you have a spare desktop that meets the requirements you can build it onto there. You download the main operating system and install it like your would any OS. The computer must have 2 Network Interface Cards in it. It is the first thing off of your WAN. Everything routes through it. You can set exclusions inside of each piece of software that allows you let certain things bypass it.

I have also seen these installed on a VM Ware server and have everything set up routed there.

I don't want to distract conversations from getting you fixed here, but if you want some more help about it - WITH ADMIN PERMISSION - I can give you an email address, or they can get it to you.
0
 
coldfirenjAuthor Commented:
That would be terrific Ben, admins? Ok? I'm very grateful for all of your help...
0
 
TI2HeavenCommented:
Imail log is terrific. Clients’ ip addresses are not showing, request and responses are not clear. But I knew that malware is not responsible of the email because you have a log of the attack from internet.
In the log of the attack a miss an authentication request and found suspicious the following:
[x] using source IP for hitekautos.com [10.1.0.50]
Private ip addresses cant never be used in either side of an internet communication. So the only two possibilities to that are: private link or logic vulnerability.
Why a private address does not need authentication? (Because Imail things the hacker is the exchange server and use ip address as the way to authenticate it).
I don’t believe Ben’s suggestion is a good idea I would prefer another Exchange server for Gateway role with forefront for exchange. Integration of both servers are better (exchange much more information between them) and security patches are regularly downloaded from Windows Update.
0
 
Ben_b3nCommented:
@coldfirenj
There's a button at the type that says request attention- that would ping the admins to answer the question if I can post my email address.

Thanks
0
 
TI2HeavenCommented:
@coldfirenj , I am not agree with the grade you gave me.
You might not see me answering you anymore.
Carefully with your grades; you have more to lose that the people who answer you.
0
 
TI2HeavenCommented:
That is another connector's log. I believe you did not understand my answer completely. I didn’t say users don’t need to authenticate to send email, I said that hub server did not need to authenticate to send email. You might be using other connector and you might be using authentication in your communication between both servers and even your hub server might have another IP, but I miss an authentication in the log of the attack so there must be a forgotten default setting in Imail server that the attacker Knew and used. How can you be sure that ESMTP is the only way to send email?
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now