[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 456
  • Last Modified:

Being SPAMMED on a 2003 Exchange server.

I am having a difficult time getting this particular wave of spammers. I've been able to find the issue in the past, but not this time. I'm sure it's a compromised password but unable to find the username being compromised.  I log the exchange server, IIS logging, HTTP error logging, SNMP logging events, Security, so on. Below is a snippet of the exchange log.  Any help would be great.

2012-8-27      18:31:29 GMT      72.4.5.82      User      -      servername      192.168.1.1      daizeygurl01@aol.com      1020      SERVERJhsvmenBHvjds000038f0@SERVER.DOMAIN.COM      3      0      4164      50      2012-8-27 18:24:16 GMT      0      Version: 6.0.3790.3959      -       New Message From Chase Online(SM)      chase@emailinfo.chase.com
0
HDtechs
Asked:
HDtechs
  • 11
  • 7
  • 2
1 Solution
 
Exchange_GeekCommented:
You cannot do much by looking into HTTP or SNMP logs, you'll need to read NCSA logs - which is not enabled by default under default smtp virtual server.

Now, what you can do is to take 15-20 time off you're work and read ++ impliment anti-spamming solution used and explained in the link below

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html

Exchange has in-built capability to fight such issues and you being an admin should be made aware of this.

Please use the features described in the link.

Regards,
Exchange_Geek
0
 
Simon Butler (Sembee)ConsultantCommented:
If you think it is a compromised password then disable authenticated relaying and restart the transport service. That will stop the new email in its tracks.

The account being used should be logged in the Security log, although if a lot of spam going through it can drown it out. The most common account abused though is Administrator.

Simon.
0
 
HDtechsAuthor Commented:
Verified exchange_geeks suggestions and got hammered again last night. is there any software that can sparse through the security logs and help identify the account that is compromised?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
Exchange_GeekCommented:
Possibly you're being hit by what is called SMTP Harvesting - if that be the case, you'll need to use some Anti-spam box.

However, if you do have NCSA logs - you could attach it here for us to review.

Regards,
Exchange_Geek
0
 
HDtechsAuthor Commented:
NCSA?
0
 
Exchange_GeekCommented:
Seems you really didn't read my recommendations.

you'll need to read NCSA logs - which is not enabled by default under default smtp virtual server.

Was this enabled?

Regards,
Exchange_Geek
0
 
HDtechsAuthor Commented:
Sorry missed "changing format of the logs to NCSA" I did all the other suggestions. Trying to put out too many fires at once here. bringing back crashed domain controller, down fiber connection to one of our facilities etc. anyway. changing the fomat now.

•      Setup Sender Filtering. - done

•      Setup a Tarpit Delay -done

•      Setup a Sender Policy Framework (SPF) record for your domain.  -done

•      Setup Sender ID filtering. -done

•      Setup Recipient Filtering (and use Real-time Block Lists) -done
0
 
Exchange_GeekCommented:
You sure you're not open for relay?

Regards,
Exchange_Geek
0
 
HDtechsAuthor Commented:
Already checked  - here are the results from this morning
Verified from MX toolbox
Status Result
 OK - Reverse DNS matches SMTP Banner
 0 seconds - Good on Connection time
 OK - Not an open relay.
 5.507 seconds - Warning on Transaction Time
0
 
HDtechsAuthor Commented:
results from telnet session on the exchange server:
ehlo
250- server.ser.com
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
mail from: administrator@yahoo.com
250 2.1.0 administrator@yahoo.com....Sender OK
rcpt to: cisco.hubbardw@gmail.com
550 5.7.1 Unable to relay for cisco.hubbardw@gmail.com
0
 
Exchange_GeekCommented:
Perfect, then our only ammunition is the NCSA Logs.

Regards,
Exchange_Geek
0
 
HDtechsAuthor Commented:
They usually hit around 7:00pm. EST The spam has been coming from India and South Africa. I have been blocking the ips as I find then using the IP and then block the entire class B range. Its a hit and miss solution, but its the best I can do until I get everything fixed. I thank you for spending your time in helping me.
0
 
HDtechsAuthor Commented:
just got hit. What now?
0
 
Exchange_GeekCommented:
Provide the NCSA logs, I've been asking for such a long time.

Regards,
Exchange_Geek
0
 
HDtechsAuthor Commented:
0
 
Simon Butler (Sembee)ConsultantCommented:
Do you need authenticated relaying enabled? This isn't required for regular Exchange clients, only if you support POP/IMAP clients from the internet. Internally you could setup another SMTP virtual server that was locked down on what can connect.

Simon.
0
 
HDtechsAuthor Commented:
stumbled the offending account that was compromised. Wish there was an easier was to find compromised accounts. Working on a solution to run outgoing mail through our barracuda firewall. That would not fix the password issue of course, but should help with the spamming. Also working on a plan to have all users change their passwords. This will be a huge effort. Over 500 accounts, but I'll do them one domain at a time. Thanks to exchange_geek for his help.
0
 
HDtechsAuthor Commented:
There was no communication with Exchange_Geek off site.
0
 
HDtechsAuthor Commented:
stumbled the offending account that was compromised. Wish there was an easier was to find compromised accounts. Working on a solution to run outgoing mail through our barracuda firewall. That would not fix the password issue of course, but should help with the spamming. Also working on a plan to have all users change their passwords. This will be a huge effort. Over 500 accounts, but I'll do them one domain at a time. Thanks to exchange_geek for his help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 11
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now