Exchange 2010 Authenticated Relay Attack

Hi,

You will finds thousands of "audit success" in the security logs which will give you an idea.
Next you can browse your Default SMTP connector logs. (or quickly expand its logging level)

For sure you have to enforce all users to reset their passwords.

Have you seen my blog post here:

http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/

Alan

Checked MXTOOLBOX we are not an open relay

Here are the results of the command you requested I run

COMMAND
Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights

RESULTS
Identity
123ExchangeServer\Copier Scan To Mail

User
NT AUTHORITY\Anonymous LOGON

Extended Rights
{ms-Exch-SMTP-Accept-Any-Recipient

Okay - so your copier looks like it can relay.  Does it need to?

Please run the following EMS command:

get-receiveconnector -identity "copier scan to mail" | fl

Please post the output.

Thanks

Alan

[PS] C:\Windows\system32>get-receiveconnector -identity "copier scan to mail" | fl


RunspaceId                              : ef0608a5-626e-4a5a-8849-9705b474c723
AuthMechanism                           : None
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : mail.cohenlerner.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, Custom
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.2.15}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : CLREXCHGSERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Copier Scan To Mail
DistinguishedName                       : CN=Copier Scan To Mail,CN=SMTP Receive Connectors,CN=Protocols,CN=CLREXCHGSER
                                          VER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administ
                                          rative Groups,CN=CLRLAW,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
                                          =CLRLAW
Identity                                : CLREXCHGSERVER\Copier Scan To Mail
Guid                                    : 89640d18-7fac-47e5-99a9-4ec23be1d83c
ObjectCategory                          : CLRLAW/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 6/20/2013 4:27:50 PM
WhenCreated                             : 9/4/2012 10:46:07 AM
WhenChangedUTC                          : 6/20/2013 8:27:50 PM
WhenCreatedUTC                          : 9/4/2012 2:46:07 PM
OrganizationId                          :
OriginatingServer                       : CLRMainServer.CLRLAW
IsValid                                 : True

Okay - that's restricted to just your copier (assuming its IP is 192.168.2.15).

So - you don't look like an authenticated relay.

What makes you think you are?

We were fine...
Then we started to have a couple of bounces
Then I checked the BL at MXTOOLBOX and we were on 4 lists
Then I looked at the message Queue and saw a ton of messages that didn't have anything to do with what we do (Law Firm)
CLR-Image1.jpg
CLR-Image2.jpg

We have 4 receive connectors... I didn't set this up

Client
Default
Copier Scan To Mail
CL Inbound SMTP

One Send Connector
CLSMTPOUT

Those are just postmaster NDR messages.  Nothing more sinister.

Does your Exchange server receive mail direct from the internet or via a 3rd party spam filtering service?

What Blacklists were you on?  Backscatterer.org one of them?

Backscatter
SORBS
CBL

Thought so - what about my other question?

Direct
We do have a router that has anti-spam protection on it (Netgear with UTM)

Just to be clear we have had this setup for months.

We had someone leave the firm.
They asked me to make sure his mailbox was accessible to two other partners
I gave them both Full Access and Send As permissions
That was on Monday, we started seeing the bounces yesterday and full blown full queue today.

Does that help?

Look at the subject in those <> messages
CLR-Image3.jpg

Here is the Queue with the last error, every one is rejecting us... Most likely due to BL's
CLR-Image4.jpg

The ones from <> look just like regular spam.

I would imagine your Netgear UTM device is not capable or not enabled for Recipient Filtering, so it is accepting messages for invalid email addresses, passing them on to your Exchange server and because your UTM device has accepted the message, your Exchange server is forced to send an NDR back to the sender (which is usually spoofed) and because some have gone out to honeypot addresses at places like backscatter.org, you get blacklisted.

You either need to enable recipient filtering on the UTM (if it is capable), or find an alternative solution to spam.

According to Spamhaus you are on the CBL blocklist because you have a spam sending trojan (http://cbl.abuseat.org/lookup.cgi?ip=50.77.219.209).

Does your firewall block SMTP traffic outbound from all IP's other than your Exchange Server?

Extract from the link above:

It was last detected at 2013-06-18 22:00 GMT (+/- 30 minutes), approximately 2 days ago.

So about 2 days ago you had a problem and that is why you are blacklisted.  If the problem was ongoing, then you would see a more recent time as the most recent listing.

Did you have any visitors a couple of days ago with a laptop that connected to your network or a remote user who came back to the office?

So a couple of questions

1.) Suggestions for antispam

2.) How can I be sure my connectors are setup to receive messages only for people on my system?

I'll let you read / reply to my last comment before responding to your last one.

I'm a hired gun, so I am not there everyday.

Basically I have a bug on the network sending messages is that what I am understanding?

It looks that way - or it looks like you did have.

Make sure the firewall is locked down to ONLY allow port 25 traffic out from the Exchange server and nothing else (unless absolutely necessary) and if you have got an infected PC, then you will need to track it down.

You can use something like Wireshark to sniff for port 25 traffic from the network and see if you can locate a PC sending such traffic and then tackle it.

Malwarebytes may well help you, but blocking the firewall (if not already done) would be the first thing to check / lock down.

Made the firewall change.

Downloading MB's

How can I check to see who is sending mail out on my system...

Good.

"How can I check to see who is sending mail out on my system..." - Do you mean virus or genuine user?

Alan

Genuine User

I am accumulating more and more of those <> messages in the queue and when I look at them the from info is not anyone in my system and the "to" is someone random outside my system and the subjects are totally spam.

So I'm not sure whats going on.

Should I load MS Exchange AV and enable recipient filtering or can I do it without MS Exchange AV (My router doesn't support it as we thought).