[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 991
  • Last Modified:

Exchange 2003 being used as spam server - sort of....

I have an Exchange 2003 server that appears to be being used as a spam host. It it not an open relay and the Default SMTP Virtual Server properties under Access/Relay have the mail server and the network scanner listed with "Only the list below" checked. The box to allowed authenticated users to relay is unchecked.

I see spam to/from the same user. So bsmith@ is sending spam to bsmith@, but it is coming from outside the network. Here are the headers:

Received: from host145-98-static.206-37-b.business.telecomitalia.it
 ([37.206.98.145])
by MYMAILSERVER with Microsoft
 SMTPSVC(6.0.3790.4675); Wed, 19 Sep 2012 05:42:34 -0700
Message-ID: <5059BCF9.804060@XXX.com>
Date: Wed, 19 Sep 2012 13:42:19 +0100
From: <user@mydomain.com>
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <user@mydomain.com>
Subject: =?utf-8?Q?Spam:find=20Cllalls=20free=20sites=20computer=20search?=

The to and from and the same and it's not from inside my network. I'm not sure how this is getting through or how is it happening. There is not a lot of it, but I would like to stop it.
0
mvalpreda
Asked:
mvalpreda
  • 3
  • 3
1 Solution
 
Alan HardistyCommented:
You are probably an Authenticated relay and my article will help you to identify the account:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Once identified, change the password for the account, restart the SMTP Service and then wait for the queues to empty.  They may still fill up for a while whilst Exchange catches up with the volume that it was sent, so don't be alarmed if the queues keep filling for a while.

You can use aqadmcli.exe to delete the mail in the queues quickly.  Shout if you would like a link to download this from to achieve this and instructions.

Alan
0
 
mvalpredaAuthor Commented:
First off....thanks for the article. I was looking through and see that it may be more of an NDR attack since i see a lot of mail in the queue to strange domains all coming from postmaster@. I have set up the filtering explained at http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html and the tarpitting explained at http://support.microsoft.com/kb/842851. I set the tarpit time to 20 seconds.

Also going to run through the authenticated user attack. Strange that it happens when the box is unchecked and only allowing relaying from a very specific set of IPs.
0
 
Alan HardistyCommented:
Exchange 2003 is very open to abuse unfortunately.

Hopefully it is just an NDR attack which should subside with Recipient Filtering enabled, but if not, then you should be able to find the relevant account.

Shout if you need any more info.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
mvalpredaAuthor Commented:
I do have a slight issue now. I forgot to mention I have an outside vendor that sends emails through our server and they log in with a service account (with a strong random password) and I am now seeing this:

The SMTP client "X.X.X.X" authenticated as user "DOMAIN\account" attempted to send as "legituser@mydomain.com".  Access was denied because the authenticated client does not have permission to Send As this SMTP address.

Am I going to need to set up Send As permissions on each of those users who use this third party service?
0
 
Alan HardistyCommented:
Yes - if they need to send as a particular user and log in as a different user, then will need Send As permissions.
0
 
mvalpredaAuthor Commented:
Thanks. All is looking well now.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now