Solved

Is Exchange Compromised???

Posted on 2014-02-25
13
265 Views
Last Modified: 2014-03-09
Have Exchange 2010 Server, in production for 18 months, no issues.
Running on Server 2008 R2

Had a user get a trojan on their system last Friday.
Thought it was contained, scanned all systems from a bootable scan/fix CD
All systems came back clean

We are getting a ton of spam that has ACTUAL USERNAME@bougusDomain

Checked the Exchange Queue, we don't have barely anything  in there, so it does not appear to be that we are sending spam from the server.

Today, we appeared on SORBS Blacklist.

It has to be coming from a machine on the network, I'm just not sure where or how to find it.

Where should I be looking or what should I be looking for because obviously there is a problem.

Advise
0
Comment
Question by:tech911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39886345
Do you have any spam filtering software in your environment?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886362
Yep,

We have it on our firewall at the head end (where all traffic comes/goes to the internet) and we have Sophos pure message running on our Exchange server.
0
 
LVL 9

Expert Comment

by:David Carr
ID: 39886404
Sophos is usually pretty good at blocking messages after one or two get through and then no more. Look at the firewall logs for SMTP traffic to get the IP Addresses for the messages and then lookup the IP addresses to see where they are located.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Author Comment

by:tech911
ID: 39886571
I'm not sure my firewall has that capability is there another way to see what device is trying to send smtp traffic over port 25 on my network?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886612
In Exchange 2010 what diagnostic setting in the log settings can you set so that the event log will tell you what account(s) are authenticating when sending mail.

In older versions it was Authentication but in Exchange 2010, that option is not present.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 334 total points
ID: 39887040
If the queue is clean and you aren't using a smart host, then your Exchange server is fine. One of the signs of a server being abused is a lot of messages in the queues, because the lists the spammers use of recipients are not clean, or auto generated.

I would suspect the spam is coming from the workstation and is being bounced back in again. You need to look at the firewall to block the port 25 traffic - if it isn't capable of it, then change to a proper firewall, rather than a jumped up router with port blocking features.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39887740
I have set the firewall to only allow outbound messages using SMTP on port 25 from the mail server's IP.

The odd thing is I scanned every machine with the bootable version of MS Defender and still no bugs.

I also ran a network monitor on the traffic and did not see anything going out or trying to go out over port 25.

My only unanswered question is that the CEO has a MAC, its the only machine that I saw a lot of traffic being generated from, but it was UDP traffic not SMTP so I don't "Think" that is the culprit, but its the only idea I have left.

Any thoughts are welcome.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888201
If you have blocked port 25 outbound, then ensure you have logging enabled on that port block. Anything that attempts to send out will then get flagged to you.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39888459
Simon,

This is where my knowledge is lacking, which is why I have this subscription.

How can I log what traffic is going to  10.0.0.1 on my internal network over port 25?

What tool can I use that will let me monitor traffic going to a specific interface on my internal network?

That is what I need to complete your instructions and I have never really had to do it before, so "be gentle".

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888483
The only place is on the firewall. Exactly how I cannot say, because every firewall is different.
Some will have a local log display, others will require a syslog server to be installed on another machine to record the logs.

It isn't traffic to your Exchange server that you are concerned about, it is traffic going through the firewall and being blocked by your rule.

Simon.
0
 
LVL 9

Assisted Solution

by:David Carr
David Carr earned 166 total points
ID: 39889640
You can use wireshark to monitor the network traffic. You get wireshark from http://www.wireshark.org/download.html

The WireShark User Guide is at http://www.wireshark.org/docs/wsug_html_chunked/
0
 
LVL 3

Author Comment

by:tech911
ID: 39898889
It appears we had a workstation on the network that was still compromised, which I have since fixed. We have also ended up on the Chile-DNSRBL which I found strange.

To add more intrigue, I was troubleshooting an issue with a peer at a non-related customer site, and they are on the same Chile-DNSRBL list.

The only way to get off is to have your ISP make a removal request.  Is anyone else "seeing" this out in the wild?  What is causing it?

We are not on any other Blacklist, which is why I find it strange.

Thanks for the help from all who commented.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 334 total points
ID: 39899076
Do you send email to Chile? Never heard of this blacklist and therefore it has to be a minor player. I wouldn't worry about it - they are probably blacklisting everything from outside Chile!

Simon.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question