Solved

Exchange 2010 Authenticated Relay Attack

Posted on 2013-06-20
24
636 Views
Last Modified: 2013-06-26
I believe I am the victim of an Authenticated Relay Attack.

I have read the various posts by A. Hardisty on how to deal with this with Exchange 2003, but not with Exchange 2010.

First thing I need to know is how to identify which account is the compromised account.  Once I stop the authenticated relay, then I can move on to cleaning things up.
0
Comment
Question by:tech911
  • 12
  • 11
24 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
Hi,

You will finds thousands of "audit success" in the security logs which will give you an idea.
Next you can browse your Default SMTP connector logs. (or quickly expand its logging level)

For sure you have to enforce all users to reset their passwords.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
Checked MXTOOLBOX we are not an open relay

Here are the results of the command you requested I run

COMMAND
Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights

RESULTS
Identity
123ExchangeServer\Copier Scan To Mail

User
NT AUTHORITY\Anonymous LOGON

Extended Rights
{ms-Exch-SMTP-Accept-Any-Recipient
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - so your copier looks like it can relay.  Does it need to?

Please run the following EMS command:

get-receiveconnector -identity "copier scan to mail" | fl

Please post the output.

Thanks

Alan
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
[PS] C:\Windows\system32>get-receiveconnector -identity "copier scan to mail" | fl


RunspaceId                              : ef0608a5-626e-4a5a-8849-9705b474c723
AuthMechanism                           : None
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : mail.cohenlerner.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, Custom
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.2.15}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : CLREXCHGSERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Copier Scan To Mail
DistinguishedName                       : CN=Copier Scan To Mail,CN=SMTP Receive Connectors,CN=Protocols,CN=CLREXCHGSER
                                          VER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administ
                                          rative Groups,CN=CLRLAW,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
                                          =CLRLAW
Identity                                : CLREXCHGSERVER\Copier Scan To Mail
Guid                                    : 89640d18-7fac-47e5-99a9-4ec23be1d83c
ObjectCategory                          : CLRLAW/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 6/20/2013 4:27:50 PM
WhenCreated                             : 9/4/2012 10:46:07 AM
WhenChangedUTC                          : 6/20/2013 8:27:50 PM
WhenCreatedUTC                          : 9/4/2012 2:46:07 PM
OrganizationId                          :
OriginatingServer                       : CLRMainServer.CLRLAW
IsValid                                 : True
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - that's restricted to just your copier (assuming its IP is 192.168.2.15).

So - you don't look like an authenticated relay.

What makes you think you are?
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
We were fine...
Then we started to have a couple of bounces
Then I checked the BL at MXTOOLBOX and we were on 4 lists
Then I looked at the message Queue and saw a ton of messages that didn't have anything to do with what we do (Law Firm)
CLR-Image1.jpg
CLR-Image2.jpg
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
We have 4 receive connectors... I didn't set this up

Client
Default
Copier Scan To Mail
CL Inbound SMTP

One Send Connector
CLSMTPOUT
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Those are just postmaster NDR messages.  Nothing more sinister.

Does your Exchange server receive mail direct from the internet or via a 3rd party spam filtering service?

What Blacklists were you on?  Backscatterer.org one of them?
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
Backscatter
SORBS
CBL
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Thought so - what about my other question?
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
Direct
We do have a router that has anti-spam protection on it (Netgear with UTM)

Just to be clear we have had this setup for months.

We had someone leave the firm.
They asked me to make sure his mailbox was accessible to two other partners
I gave them both Full Access and Send As permissions
That was on Monday, we started seeing the bounces yesterday and full blown full queue today.

Does that help?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:tech911
Comment Utility
Look at the subject in those <> messages
CLR-Image3.jpg
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
Here is the Queue with the last error, every one is rejecting us... Most likely due to BL's
CLR-Image4.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
The ones from <> look just like regular spam.

I would imagine your Netgear UTM device is not capable or not enabled for Recipient Filtering, so it is accepting messages for invalid email addresses, passing them on to your Exchange server and because your UTM device has accepted the message, your Exchange server is forced to send an NDR back to the sender (which is usually spoofed) and because some have gone out to honeypot addresses at places like backscatter.org, you get blacklisted.

You either need to enable recipient filtering on the UTM (if it is capable), or find an alternative solution to spam.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
According to Spamhaus you are on the CBL blocklist because you have a spam sending trojan (http://cbl.abuseat.org/lookup.cgi?ip=50.77.219.209).

Does your firewall block SMTP traffic outbound from all IP's other than your Exchange Server?

Extract from the link above:

It was last detected at 2013-06-18 22:00 GMT (+/- 30 minutes), approximately 2 days ago.

So about 2 days ago you had a problem and that is why you are blacklisted.  If the problem was ongoing, then you would see a more recent time as the most recent listing.

Did you have any visitors a couple of days ago with a laptop that connected to your network or a remote user who came back to the office?
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
So a couple of questions

1.) Suggestions for antispam

2.) How can I be sure my connectors are setup to receive messages only for people on my system?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I'll let you read / reply to my last comment before responding to your last one.
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
I'm a hired gun, so I am not there everyday.

Basically I have a bug on the network sending messages is that what I am understanding?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
It looks that way - or it looks like you did have.

Make sure the firewall is locked down to ONLY allow port 25 traffic out from the Exchange server and nothing else (unless absolutely necessary) and if you have got an infected PC, then you will need to track it down.

You can use something like Wireshark to sniff for port 25 traffic from the network and see if you can locate a PC sending such traffic and then tackle it.

Malwarebytes may well help you, but blocking the firewall (if not already done) would be the first thing to check / lock down.
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
Made the firewall change.

Downloading MB's

How can I check to see who is sending mail out on my system...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Good.

"How can I check to see who is sending mail out on my system..." - Do you mean virus or genuine user?

Alan
0
 
LVL 3

Author Comment

by:tech911
Comment Utility
Genuine User

I am accumulating more and more of those <> messages in the queue and when I look at them the from info is not anyone in my system and the "to" is someone random outside my system and the subjects are totally spam.

So I'm not sure whats going on.

Should I load MS Exchange AV and enable recipient filtering or can I do it without MS Exchange AV (My router doesn't support it as we thought).
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
Those are messages destined for invalid users that are all spam, but because your UTM device is accepting them and passing them to your Exchange server for delivery, you are forced to send an NDR message back.  If your UTM device rejected invalid recipients, then the sending server would be responsible for the NDR generation.

This forces you to send Backscatter and that is why you are listed on Backscatterer.org.  If the UTM device cannot reject emails destined for invalid email addresses, then throw it away and get one that can, or use a product such as Vamsoft ORF Fusion which can and also does a brilliant job of rejecting spam (www.vamsoft.com).  You can trial it for 42 days before you decide to buy (in case it doesn't work for you).
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now