Solved

Exchange 2010 Authenticated Relay Attack

Posted on 2013-06-20
24
659 Views
Last Modified: 2013-06-26
I believe I am the victim of an Authenticated Relay Attack.

I have read the various posts by A. Hardisty on how to deal with this with Exchange 2003, but not with Exchange 2010.

First thing I need to know is how to identify which account is the compromised account.  Once I stop the authenticated relay, then I can move on to cleaning things up.
0
Comment
Question by:tech911
  • 12
  • 11
24 Comments
 
LVL 20

Expert Comment

by:Patrick Bogers
ID: 39264126
Hi,

You will finds thousands of "audit success" in the security logs which will give you an idea.
Next you can browse your Default SMTP connector logs. (or quickly expand its logging level)

For sure you have to enforce all users to reset their passwords.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264140
0
 
LVL 3

Author Comment

by:tech911
ID: 39264185
Checked MXTOOLBOX we are not an open relay

Here are the results of the command you requested I run

COMMAND
Get-ReceiveConnector | Get-ADPermission | where {($_.ExtendedRights -like “*SMTP-Accept-Any-Recipient*”)} | where {$_.User -like ‘*anonymous*’} | ft identity,user,extendedrights

RESULTS
Identity
123ExchangeServer\Copier Scan To Mail

User
NT AUTHORITY\Anonymous LOGON

Extended Rights
{ms-Exch-SMTP-Accept-Any-Recipient
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264198
Okay - so your copier looks like it can relay.  Does it need to?

Please run the following EMS command:

get-receiveconnector -identity "copier scan to mail" | fl

Please post the output.

Thanks

Alan
0
 
LVL 3

Author Comment

by:tech911
ID: 39264236
[PS] C:\Windows\system32>get-receiveconnector -identity "copier scan to mail" | fl


RunspaceId                              : ef0608a5-626e-4a5a-8849-9705b474c723
AuthMechanism                           : None
Banner                                  :
BinaryMimeEnabled                       : True
Bindings                                : {0.0.0.0:25}
ChunkingEnabled                         : True
DefaultDomain                           :
DeliveryStatusNotificationEnabled       : True
EightBitMimeEnabled                     : True
BareLinefeedRejectionEnabled            : False
DomainSecureEnabled                     : False
EnhancedStatusCodesEnabled              : True
LongAddressesEnabled                    : False
OrarEnabled                             : False
SuppressXAnonymousTls                   : False
AdvertiseClientSettings                 : False
Fqdn                                    : mail.cohenlerner.com
Comment                                 :
Enabled                                 : True
ConnectionTimeout                       : 00:10:00
ConnectionInactivityTimeout             : 00:05:00
MessageRateLimit                        : unlimited
MessageRateSource                       : IPAddress
MaxInboundConnection                    : 5000
MaxInboundConnectionPerSource           : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize                           : 64 KB (65,536 bytes)
MaxHopCount                             : 60
MaxLocalHopCount                        : 12
MaxLogonFailures                        : 3
MaxMessageSize                          : 10 MB (10,485,760 bytes)
MaxProtocolErrors                       : 5
MaxRecipientsPerMessage                 : 200
PermissionGroups                        : AnonymousUsers, Custom
PipeliningEnabled                       : True
ProtocolLoggingLevel                    : None
RemoteIPRanges                          : {192.168.2.15}
RequireEHLODomain                       : False
RequireTLS                              : False
EnableAuthGSSAPI                        : False
ExtendedProtectionPolicy                : None
LiveCredentialEnabled                   : False
TlsDomainCapabilities                   : {}
Server                                  : CLREXCHGSERVER
SizeEnabled                             : Enabled
TarpitInterval                          : 00:00:05
MaxAcknowledgementDelay                 : 00:00:30
AdminDisplayName                        :
ExchangeVersion                         : 0.1 (8.0.535.0)
Name                                    : Copier Scan To Mail
DistinguishedName                       : CN=Copier Scan To Mail,CN=SMTP Receive Connectors,CN=Protocols,CN=CLREXCHGSER
                                          VER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administ
                                          rative Groups,CN=CLRLAW,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
                                          =CLRLAW
Identity                                : CLREXCHGSERVER\Copier Scan To Mail
Guid                                    : 89640d18-7fac-47e5-99a9-4ec23be1d83c
ObjectCategory                          : CLRLAW/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass                             : {top, msExchSmtpReceiveConnector}
WhenChanged                             : 6/20/2013 4:27:50 PM
WhenCreated                             : 9/4/2012 10:46:07 AM
WhenChangedUTC                          : 6/20/2013 8:27:50 PM
WhenCreatedUTC                          : 9/4/2012 2:46:07 PM
OrganizationId                          :
OriginatingServer                       : CLRMainServer.CLRLAW
IsValid                                 : True
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264243
Okay - that's restricted to just your copier (assuming its IP is 192.168.2.15).

So - you don't look like an authenticated relay.

What makes you think you are?
0
 
LVL 3

Author Comment

by:tech911
ID: 39264368
We were fine...
Then we started to have a couple of bounces
Then I checked the BL at MXTOOLBOX and we were on 4 lists
Then I looked at the message Queue and saw a ton of messages that didn't have anything to do with what we do (Law Firm)
CLR-Image1.jpg
CLR-Image2.jpg
0
 
LVL 3

Author Comment

by:tech911
ID: 39264373
We have 4 receive connectors... I didn't set this up

Client
Default
Copier Scan To Mail
CL Inbound SMTP

One Send Connector
CLSMTPOUT
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264378
Those are just postmaster NDR messages.  Nothing more sinister.

Does your Exchange server receive mail direct from the internet or via a 3rd party spam filtering service?

What Blacklists were you on?  Backscatterer.org one of them?
0
 
LVL 3

Author Comment

by:tech911
ID: 39264391
Backscatter
SORBS
CBL
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264400
Thought so - what about my other question?
0
 
LVL 3

Author Comment

by:tech911
ID: 39264408
Direct
We do have a router that has anti-spam protection on it (Netgear with UTM)

Just to be clear we have had this setup for months.

We had someone leave the firm.
They asked me to make sure his mailbox was accessible to two other partners
I gave them both Full Access and Send As permissions
That was on Monday, we started seeing the bounces yesterday and full blown full queue today.

Does that help?
0
 
LVL 3

Author Comment

by:tech911
ID: 39264417
Look at the subject in those <> messages
CLR-Image3.jpg
0
 
LVL 3

Author Comment

by:tech911
ID: 39264425
Here is the Queue with the last error, every one is rejecting us... Most likely due to BL's
CLR-Image4.jpg
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264431
The ones from <> look just like regular spam.

I would imagine your Netgear UTM device is not capable or not enabled for Recipient Filtering, so it is accepting messages for invalid email addresses, passing them on to your Exchange server and because your UTM device has accepted the message, your Exchange server is forced to send an NDR back to the sender (which is usually spoofed) and because some have gone out to honeypot addresses at places like backscatter.org, you get blacklisted.

You either need to enable recipient filtering on the UTM (if it is capable), or find an alternative solution to spam.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264448
According to Spamhaus you are on the CBL blocklist because you have a spam sending trojan (http://cbl.abuseat.org/lookup.cgi?ip=50.77.219.209).

Does your firewall block SMTP traffic outbound from all IP's other than your Exchange Server?

Extract from the link above:

It was last detected at 2013-06-18 22:00 GMT (+/- 30 minutes), approximately 2 days ago.

So about 2 days ago you had a problem and that is why you are blacklisted.  If the problem was ongoing, then you would see a more recent time as the most recent listing.

Did you have any visitors a couple of days ago with a laptop that connected to your network or a remote user who came back to the office?
0
 
LVL 3

Author Comment

by:tech911
ID: 39264454
So a couple of questions

1.) Suggestions for antispam

2.) How can I be sure my connectors are setup to receive messages only for people on my system?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264464
I'll let you read / reply to my last comment before responding to your last one.
0
 
LVL 3

Author Comment

by:tech911
ID: 39264471
I'm a hired gun, so I am not there everyday.

Basically I have a bug on the network sending messages is that what I am understanding?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264481
It looks that way - or it looks like you did have.

Make sure the firewall is locked down to ONLY allow port 25 traffic out from the Exchange server and nothing else (unless absolutely necessary) and if you have got an infected PC, then you will need to track it down.

You can use something like Wireshark to sniff for port 25 traffic from the network and see if you can locate a PC sending such traffic and then tackle it.

Malwarebytes may well help you, but blocking the firewall (if not already done) would be the first thing to check / lock down.
0
 
LVL 3

Author Comment

by:tech911
ID: 39264529
Made the firewall change.

Downloading MB's

How can I check to see who is sending mail out on my system...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39264567
Good.

"How can I check to see who is sending mail out on my system..." - Do you mean virus or genuine user?

Alan
0
 
LVL 3

Author Comment

by:tech911
ID: 39264594
Genuine User

I am accumulating more and more of those <> messages in the queue and when I look at them the from info is not anyone in my system and the "to" is someone random outside my system and the subjects are totally spam.

So I'm not sure whats going on.

Should I load MS Exchange AV and enable recipient filtering or can I do it without MS Exchange AV (My router doesn't support it as we thought).
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39265181
Those are messages destined for invalid users that are all spam, but because your UTM device is accepting them and passing them to your Exchange server for delivery, you are forced to send an NDR message back.  If your UTM device rejected invalid recipients, then the sending server would be responsible for the NDR generation.

This forces you to send Backscatter and that is why you are listed on Backscatterer.org.  If the UTM device cannot reject emails destined for invalid email addresses, then throw it away and get one that can, or use a product such as Vamsoft ORF Fusion which can and also does a brilliant job of rejecting spam (www.vamsoft.com).  You can trial it for 42 days before you decide to buy (in case it doesn't work for you).
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question