Solved

Is Exchange Compromised???

Posted on 2014-02-25
13
262 Views
Last Modified: 2014-03-09
Have Exchange 2010 Server, in production for 18 months, no issues.
Running on Server 2008 R2

Had a user get a trojan on their system last Friday.
Thought it was contained, scanned all systems from a bootable scan/fix CD
All systems came back clean

We are getting a ton of spam that has ACTUAL USERNAME@bougusDomain

Checked the Exchange Queue, we don't have barely anything  in there, so it does not appear to be that we are sending spam from the server.

Today, we appeared on SORBS Blacklist.

It has to be coming from a machine on the network, I'm just not sure where or how to find it.

Where should I be looking or what should I be looking for because obviously there is a problem.

Advise
0
Comment
Question by:tech911
  • 6
  • 4
  • 3
13 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39886345
Do you have any spam filtering software in your environment?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886362
Yep,

We have it on our firewall at the head end (where all traffic comes/goes to the internet) and we have Sophos pure message running on our Exchange server.
0
 
LVL 9

Expert Comment

by:David Carr
ID: 39886404
Sophos is usually pretty good at blocking messages after one or two get through and then no more. Look at the firewall logs for SMTP traffic to get the IP Addresses for the messages and then lookup the IP addresses to see where they are located.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Author Comment

by:tech911
ID: 39886571
I'm not sure my firewall has that capability is there another way to see what device is trying to send smtp traffic over port 25 on my network?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886612
In Exchange 2010 what diagnostic setting in the log settings can you set so that the event log will tell you what account(s) are authenticating when sending mail.

In older versions it was Authentication but in Exchange 2010, that option is not present.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 334 total points
ID: 39887040
If the queue is clean and you aren't using a smart host, then your Exchange server is fine. One of the signs of a server being abused is a lot of messages in the queues, because the lists the spammers use of recipients are not clean, or auto generated.

I would suspect the spam is coming from the workstation and is being bounced back in again. You need to look at the firewall to block the port 25 traffic - if it isn't capable of it, then change to a proper firewall, rather than a jumped up router with port blocking features.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39887740
I have set the firewall to only allow outbound messages using SMTP on port 25 from the mail server's IP.

The odd thing is I scanned every machine with the bootable version of MS Defender and still no bugs.

I also ran a network monitor on the traffic and did not see anything going out or trying to go out over port 25.

My only unanswered question is that the CEO has a MAC, its the only machine that I saw a lot of traffic being generated from, but it was UDP traffic not SMTP so I don't "Think" that is the culprit, but its the only idea I have left.

Any thoughts are welcome.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888201
If you have blocked port 25 outbound, then ensure you have logging enabled on that port block. Anything that attempts to send out will then get flagged to you.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39888459
Simon,

This is where my knowledge is lacking, which is why I have this subscription.

How can I log what traffic is going to  10.0.0.1 on my internal network over port 25?

What tool can I use that will let me monitor traffic going to a specific interface on my internal network?

That is what I need to complete your instructions and I have never really had to do it before, so "be gentle".

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888483
The only place is on the firewall. Exactly how I cannot say, because every firewall is different.
Some will have a local log display, others will require a syslog server to be installed on another machine to record the logs.

It isn't traffic to your Exchange server that you are concerned about, it is traffic going through the firewall and being blocked by your rule.

Simon.
0
 
LVL 9

Assisted Solution

by:David Carr
David Carr earned 166 total points
ID: 39889640
You can use wireshark to monitor the network traffic. You get wireshark from http://www.wireshark.org/download.html

The WireShark User Guide is at http://www.wireshark.org/docs/wsug_html_chunked/
0
 
LVL 3

Author Comment

by:tech911
ID: 39898889
It appears we had a workstation on the network that was still compromised, which I have since fixed. We have also ended up on the Chile-DNSRBL which I found strange.

To add more intrigue, I was troubleshooting an issue with a peer at a non-related customer site, and they are on the same Chile-DNSRBL list.

The only way to get off is to have your ISP make a removal request.  Is anyone else "seeing" this out in the wild?  What is causing it?

We are not on any other Blacklist, which is why I find it strange.

Thanks for the help from all who commented.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 334 total points
ID: 39899076
Do you send email to Chile? Never heard of this blacklist and therefore it has to be a minor player. I wouldn't worry about it - they are probably blacklisting everything from outside Chile!

Simon.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question