troubleshooting Question

Exchange server 2003 being used as a spam relay

Avatar of Yann Shukor
Yann ShukorFlag for France asked on
Email ClientsSoftware FirewallsInternet Protocols
6 Comments1 Solution625 ViewsLast Modified:
Hi

My client's Windows 2K Exchange 2003 sp3 is being used a a spam relay :

Received: from User ([184.61.168.250]) by mailhost.XXXXXXXXXX.com with
Microsoft SMTPSVC(5.0.2195.7381);
         Tue, 18 Dec 2012 20:36:39 +0100
From: "E-Mail  Technical Services"<support@hp.com>
Subject: IMPORTANT INFORMATION IN YOUR MAILBOX
Date: Tue, 18 Dec 2012 13:40:50 -0600
MIME-Version: 1.0
Content-Type: text/plain;
        charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: support@hp.com
Message-ID: <EXCHANGE2KVp20N39x600000a56@mailhost.XXXXXXXXXX.com>
X-OriginalArrivalTime: 18 Dec 2012 19:36:40.0378 (UTC)
FILETIME=[007E41A0:01CDDD57]

Your mailbox is almost full.
20GB


Your Web-mail Quota Has Exceeded The Set Quota/Limit Which Is 20GB.
You Are Currently Running On 23GB Due To Hidden Files And Folder On
Your Mailbox.
Please Click the Link Below To Validate Your Mailbox And Increase Your Quota.
CLICK HERE: http://activatenow.nclidz.com/
you keep changing your password allowed Web Mail Services to work
on your quota limit.Failure To Click This Link And Validate Your Quota
May Result In Loss Of Important Information In Your Mailbox/Or Cause
Limited Access To It.
Thank you for your cooperation.
Web Mail Technical Services

There were over 50000 emails in the SMTP queue !
Apparently the destination email adresses are bad
because the Exchange diagnostics log is FULL or
5.4.0 errors (I had approx 2GB worth of these logged
errors).

Is this spam ? or maybe a type of DoS attack ?
The server was on its needs two days following the
beginning of this situation.

I don't understand how these got through though
because I have specified in the SMTP protocol
properties that only the local subnet is allowed
(192.168.1.0/24) is allowed to relay.

So far the only solution I have found was to stop the
SMTP service and delete the files in the mailroot
queue

I'll check the access-rules on the CISCO 831 config to
see if there's any holes through there.

thanks

yann

NB
This is a copy of the cisco config:
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT smtp
!
interface Ethernet0
 ip address 192.168.1.254 255.255.255.0
 ip access-group 122 out
 ip nat inside
 no cdp enable
!
interface Ethernet1
 ip address XXX.XXX.XXX.XXX 255.255.255.248
 ip nat outside
 ip inspect FWOUT out
 duplex auto
 no cdp enable
!
ip local pool DIAL-IN 192.168.201.10 192.168.201.230
ip nat inside source list 20 interface Ethernet1 overload
ip nat inside source static tcp 192.168.1.5 443 interface Ethernet1 443
ip nat inside source static tcp 192.168.1.5 110 interface Ethernet1 110
ip nat inside source static tcp 192.168.1.5 143 interface Ethernet1 143
ip nat inside source static tcp 192.168.1.5 25 interface Ethernet1 25
ip nat inside source static tcp 192.168.1.5 3389 interface Ethernet1 3389
ip nat inside source static tcp 192.168.1.5 80 interface Ethernet1 80
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 10

no ip http server
no ip http secure-server
!
access-list 5 remark SNMP
access-list 5 permit XXX.XXX.XXX.XXX
access-list 5 permit XXX.XXX.XXX.XXX
access-list 10 permit XXX.XXX.XXX.XXX 0.0.0.255
access-list 10 deny   any
access-list 20 permit 192.168.1.0 0.0.0.255
access-list 20 deny   any
access-list 23 permit xxx.xxx.xxx.xxx
access-list 23 permit xxx.xxx.xxx.xxx
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 102 remark Incoming traffic
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 143
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 443
access-list 121 remark ANTISPOOFING
access-list 121 deny   ip 127.0.0.0 0.255.255.255 any log-input
access-list 121 deny   ip 10.0.0.0 0.255.255.255 any log-input
access-list 121 deny   ip 172.16.0.0 0.15.255.255 any log-input
access-list 121 deny   ip 192.168.0.0 0.0.255.255 any log-input
access-list 121 permit ip any any
access-list 122 permit ip any host 192.168.1.5
access-list 122 permit ip any host 192.168.1.213
access-list 122 permit ip any host 192.168.1.117
access-list 122 permit ip any host 192.168.1.116
access-list 122 permit ip any host 192.168.1.108
access-list 122 permit ip any host 192.168.1.121
access-list 122 permit ip any host 192.168.1.107
access-list 122 permit ip any host 192.168.1.101
access-list 122 permit ip any host 192.168.1.100
access-list 122 permit ip any host 192.168.1.106
access-list 122 permit ip any host 192.168.1.105
access-list 122 deny   ip 192.168.201.0 0.0.0.255 any
access-list 122 permit icmp any any
access-list 122 permit ip any any
access-list 122 permit ip any host 192.168.1.251
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 6 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros