Improve company productivity with a Business Account.Sign Up

x
?
Solved

Is Exchange Compromised???

Posted on 2014-02-25
13
Medium Priority
?
274 Views
Last Modified: 2014-03-09
Have Exchange 2010 Server, in production for 18 months, no issues.
Running on Server 2008 R2

Had a user get a trojan on their system last Friday.
Thought it was contained, scanned all systems from a bootable scan/fix CD
All systems came back clean

We are getting a ton of spam that has ACTUAL USERNAME@bougusDomain

Checked the Exchange Queue, we don't have barely anything  in there, so it does not appear to be that we are sending spam from the server.

Today, we appeared on SORBS Blacklist.

It has to be coming from a machine on the network, I'm just not sure where or how to find it.

Where should I be looking or what should I be looking for because obviously there is a problem.

Advise
0
Comment
Question by:tech911
  • 6
  • 4
  • 3
13 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39886345
Do you have any spam filtering software in your environment?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886362
Yep,

We have it on our firewall at the head end (where all traffic comes/goes to the internet) and we have Sophos pure message running on our Exchange server.
0
 
LVL 9

Expert Comment

by:David Carr
ID: 39886404
Sophos is usually pretty good at blocking messages after one or two get through and then no more. Look at the firewall logs for SMTP traffic to get the IP Addresses for the messages and then lookup the IP addresses to see where they are located.
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

 
LVL 3

Author Comment

by:tech911
ID: 39886571
I'm not sure my firewall has that capability is there another way to see what device is trying to send smtp traffic over port 25 on my network?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886612
In Exchange 2010 what diagnostic setting in the log settings can you set so that the event log will tell you what account(s) are authenticating when sending mail.

In older versions it was Authentication but in Exchange 2010, that option is not present.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1336 total points
ID: 39887040
If the queue is clean and you aren't using a smart host, then your Exchange server is fine. One of the signs of a server being abused is a lot of messages in the queues, because the lists the spammers use of recipients are not clean, or auto generated.

I would suspect the spam is coming from the workstation and is being bounced back in again. You need to look at the firewall to block the port 25 traffic - if it isn't capable of it, then change to a proper firewall, rather than a jumped up router with port blocking features.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39887740
I have set the firewall to only allow outbound messages using SMTP on port 25 from the mail server's IP.

The odd thing is I scanned every machine with the bootable version of MS Defender and still no bugs.

I also ran a network monitor on the traffic and did not see anything going out or trying to go out over port 25.

My only unanswered question is that the CEO has a MAC, its the only machine that I saw a lot of traffic being generated from, but it was UDP traffic not SMTP so I don't "Think" that is the culprit, but its the only idea I have left.

Any thoughts are welcome.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888201
If you have blocked port 25 outbound, then ensure you have logging enabled on that port block. Anything that attempts to send out will then get flagged to you.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39888459
Simon,

This is where my knowledge is lacking, which is why I have this subscription.

How can I log what traffic is going to  10.0.0.1 on my internal network over port 25?

What tool can I use that will let me monitor traffic going to a specific interface on my internal network?

That is what I need to complete your instructions and I have never really had to do it before, so "be gentle".

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888483
The only place is on the firewall. Exactly how I cannot say, because every firewall is different.
Some will have a local log display, others will require a syslog server to be installed on another machine to record the logs.

It isn't traffic to your Exchange server that you are concerned about, it is traffic going through the firewall and being blocked by your rule.

Simon.
0
 
LVL 9

Assisted Solution

by:David Carr
David Carr earned 664 total points
ID: 39889640
You can use wireshark to monitor the network traffic. You get wireshark from http://www.wireshark.org/download.html

The WireShark User Guide is at http://www.wireshark.org/docs/wsug_html_chunked/
0
 
LVL 3

Author Comment

by:tech911
ID: 39898889
It appears we had a workstation on the network that was still compromised, which I have since fixed. We have also ended up on the Chile-DNSRBL which I found strange.

To add more intrigue, I was troubleshooting an issue with a peer at a non-related customer site, and they are on the same Chile-DNSRBL list.

The only way to get off is to have your ISP make a removal request.  Is anyone else "seeing" this out in the wild?  What is causing it?

We are not on any other Blacklist, which is why I find it strange.

Thanks for the help from all who commented.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1336 total points
ID: 39899076
Do you send email to Chile? Never heard of this blacklist and therefore it has to be a minor player. I wouldn't worry about it - they are probably blacklisting everything from outside Chile!

Simon.
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

What is Archiving? Archiving in Exchange Online (called In-Place Archiving) provides users with additional mailbox storage space.
Importing Outlook PST contacts to Exchange Server can become a complicated task. Situations arise where an Exchange user is not able to import contacts from PST to Exchange Mailboxes in an efficient manner. Try SysTools Exchange Import to move conta…
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …
In this video I will demonstrate how to set up Nine, which I now consider the best alternative email app to Touchdown.

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question