Help with Exchange 2003 spam attack

Hello All,
A client's Exchange 2003 server is under attack and here's what I've been able to do so far.

This is a Windows 2003 SP2 server running Exchange 2003 SP2, all patches applied. We're using Outlook clients, OWA and IMAP.

Yesterday, user JW's e-mail account started getting hammered with NDRs with Chinese characters in the subject. I confirmed that the server is not an open relay. I found thousands of queues full of spam and got rid of them. The queues have been normal since. No more NDRs to that account.

They cracked JW's password and were authenticating. I could see it in the Security Event Log.

Successful Network Logon:
       User Name:      JW
       Domain:            MYDOMAIN
       Logon ID:            (0x0,0x72F915)
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Logon GUID:      -
       Caller User Name:      MYSERVER$
       Caller Domain:      MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -

If I change the password on JW's account, I see Failure Audits because the account gets locked out within seconds.

Logon Failure:
       Reason:            Account locked out
       User Name:      JW
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      MYSERVER
       Caller User Name:      MYSERVER$
       Caller Domain: MYDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 1436
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

The main thing I'm still seeing are many sessions with weird user names in the Default SMTP Virtual Server. I checked a few of the IPs and they're in China.

My questions are:
- What are these sessions I'm seeing? I don't think the server is still sending spam. Wouldn't I see that in ESM in the queues?

- What to do about JW's account? It's currently disabled. If I enable it and reset the password it is locked out immediately. If I set the password back to what it was (as a test) I can see that they're successfully logging in.

I've scanned the server and all workstations for malware.

Next steps?

Thanks in advance
simonettAsked:
Who is Participating?
 
Alan HardistyCo-OwnerCommented:
If you want a permanent fix, please read my blog and change your authentication on your SMTP Virtual Server:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

In that blog is a link to my earlier blog with ideas on how to improve your security.

Alan
0
 
simonettAuthor Commented:
Alan,
Thanks so much for your quick response.

Just confirming... if all my users are accessing the Exchange Server with either Outlook or OWA or IMAP, then I can un-check Basic Authentication and Integrated Windows Authentication in the Default SMTP Virtual Server properties in ESM?

I'll read your posts with security improvement ideas next.
0
 
simonettAuthor Commented:
I made these changes and restarted the Default SMTP Virtual Server, but am still seeing weird connections.

Do I need to restart other servers/services as well?

I just re-read your post again and see that it was two days later that you said that there were no further attempts being made. So I need to wait it out I'm assuming.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Alan HardistyCo-OwnerCommented:
The only service that needs restarting is the SMTP Service.  That should stop people trying to send mail using usernames and passwords to your server.

If your users use Outlook / OWA they should be fine, but IMAP / SMTP will be a problem for the SMTP part.  If you can switch them to RPC over HTTPS that would mean you are secure and stop hackers from tying to send mail via / to your server.

What other services do you have open on your server?  RDP (TCP Port 3389) by any chance?
0
 
simonettAuthor Commented:
The Sonicwall firewall has ports 25, 80 and 143 open. 3389 is closed. I ran a port scan using GRC's Shields Up on the first 1055 ports, then specifically scanned for 3389.

I'm going to shut down IMAP because the one user that was using it has switched to using Outlook or OWA. OK, I've closed 143 now, so only 25 and 80 are open.

Here's a snippet from the SMTP logs. I know that response 550 means that the requested action was not taken and/or mailbox unavailable, but how does it look to you? It's hard to read because of the line-wrap here. Not too bad if pasted into a text editor.

They're still trying the JW user login (jw@mydomain.com)

Thanks very much for your time and expertise.

2013-01-15 22:27:11 14.208.53.132 ouzekpt SMTPSVC1 MYSERVER 192.168.1.12 0 EHLO - +ouzekpt 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 MAIL - +FROM:<jw@mydomain.com> 250 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<grandslam@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<dennis731109@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<o918812539@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<jovi1239@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<meiyu_v@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<loveccf52@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<ocean113@kimo.com> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<fat0707@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 RCPT - +TO:<unionfriendship2004@yahoo.com.tw> 550 - -
2013-01-15 22:27:11 58.255.224.7 rvzejnr SMTPSVC1 MYSERVER 192.168.1.12 0 DATA - - 554 - -
0
 
Alan HardistyCo-OwnerCommented:
You are very welcome.  The logs look okay to me.  Various attempts, but sadly thwarted now :)

Hopefully they will get bored soon and try someone else's server.

How are your queues looking?
0
 
simonettAuthor Commented:
Great, thanks for the reassurance. I took code 554 for failure - ie. they've been thwarted.

Queues still look normal.

I think that did it.

Whew!
0
 
simonettAuthor Commented:
Great article that all newby Exchange admins should read!
0
 
Alan HardistyCo-OwnerCommented:
You will need to put those settings back though if you migrate or your servers won't talk to each other happily, but for now, you should be nice and safe.

Thanks for the points.

Alan
0
 
simonettAuthor Commented:
Good point.

I'm going to move this client's mail to Google Apps in the next few months.

But that's another topic altogether!

Cheers
0
 
Alan HardistyCo-OwnerCommented:
Good luck with that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.