[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 272
  • Last Modified:

Is Exchange Compromised???

Have Exchange 2010 Server, in production for 18 months, no issues.
Running on Server 2008 R2

Had a user get a trojan on their system last Friday.
Thought it was contained, scanned all systems from a bootable scan/fix CD
All systems came back clean

We are getting a ton of spam that has ACTUAL USERNAME@bougusDomain

Checked the Exchange Queue, we don't have barely anything  in there, so it does not appear to be that we are sending spam from the server.

Today, we appeared on SORBS Blacklist.

It has to be coming from a machine on the network, I'm just not sure where or how to find it.

Where should I be looking or what should I be looking for because obviously there is a problem.

Advise
0
tech911
Asked:
tech911
  • 6
  • 4
  • 3
3 Solutions
 
David CarrCommented:
Do you have any spam filtering software in your environment?
0
 
tech911Author Commented:
Yep,

We have it on our firewall at the head end (where all traffic comes/goes to the internet) and we have Sophos pure message running on our Exchange server.
0
 
David CarrCommented:
Sophos is usually pretty good at blocking messages after one or two get through and then no more. Look at the firewall logs for SMTP traffic to get the IP Addresses for the messages and then lookup the IP addresses to see where they are located.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
tech911Author Commented:
I'm not sure my firewall has that capability is there another way to see what device is trying to send smtp traffic over port 25 on my network?
0
 
tech911Author Commented:
In Exchange 2010 what diagnostic setting in the log settings can you set so that the event log will tell you what account(s) are authenticating when sending mail.

In older versions it was Authentication but in Exchange 2010, that option is not present.
0
 
Simon Butler (Sembee)ConsultantCommented:
If the queue is clean and you aren't using a smart host, then your Exchange server is fine. One of the signs of a server being abused is a lot of messages in the queues, because the lists the spammers use of recipients are not clean, or auto generated.

I would suspect the spam is coming from the workstation and is being bounced back in again. You need to look at the firewall to block the port 25 traffic - if it isn't capable of it, then change to a proper firewall, rather than a jumped up router with port blocking features.

Simon.
0
 
tech911Author Commented:
I have set the firewall to only allow outbound messages using SMTP on port 25 from the mail server's IP.

The odd thing is I scanned every machine with the bootable version of MS Defender and still no bugs.

I also ran a network monitor on the traffic and did not see anything going out or trying to go out over port 25.

My only unanswered question is that the CEO has a MAC, its the only machine that I saw a lot of traffic being generated from, but it was UDP traffic not SMTP so I don't "Think" that is the culprit, but its the only idea I have left.

Any thoughts are welcome.
0
 
Simon Butler (Sembee)ConsultantCommented:
If you have blocked port 25 outbound, then ensure you have logging enabled on that port block. Anything that attempts to send out will then get flagged to you.

Simon.
0
 
tech911Author Commented:
Simon,

This is where my knowledge is lacking, which is why I have this subscription.

How can I log what traffic is going to  10.0.0.1 on my internal network over port 25?

What tool can I use that will let me monitor traffic going to a specific interface on my internal network?

That is what I need to complete your instructions and I have never really had to do it before, so "be gentle".

Thanks
0
 
Simon Butler (Sembee)ConsultantCommented:
The only place is on the firewall. Exactly how I cannot say, because every firewall is different.
Some will have a local log display, others will require a syslog server to be installed on another machine to record the logs.

It isn't traffic to your Exchange server that you are concerned about, it is traffic going through the firewall and being blocked by your rule.

Simon.
0
 
David CarrCommented:
You can use wireshark to monitor the network traffic. You get wireshark from http://www.wireshark.org/download.html

The WireShark User Guide is at http://www.wireshark.org/docs/wsug_html_chunked/
0
 
tech911Author Commented:
It appears we had a workstation on the network that was still compromised, which I have since fixed. We have also ended up on the Chile-DNSRBL which I found strange.

To add more intrigue, I was troubleshooting an issue with a peer at a non-related customer site, and they are on the same Chile-DNSRBL list.

The only way to get off is to have your ISP make a removal request.  Is anyone else "seeing" this out in the wild?  What is causing it?

We are not on any other Blacklist, which is why I find it strange.

Thanks for the help from all who commented.
0
 
Simon Butler (Sembee)ConsultantCommented:
Do you send email to Chile? Never heard of this blacklist and therefore it has to be a minor player. I wouldn't worry about it - they are probably blacklisting everything from outside Chile!

Simon.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 6
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now