Solved

Is Exchange Compromised???

Posted on 2014-02-25
13
266 Views
Last Modified: 2014-03-09
Have Exchange 2010 Server, in production for 18 months, no issues.
Running on Server 2008 R2

Had a user get a trojan on their system last Friday.
Thought it was contained, scanned all systems from a bootable scan/fix CD
All systems came back clean

We are getting a ton of spam that has ACTUAL USERNAME@bougusDomain

Checked the Exchange Queue, we don't have barely anything  in there, so it does not appear to be that we are sending spam from the server.

Today, we appeared on SORBS Blacklist.

It has to be coming from a machine on the network, I'm just not sure where or how to find it.

Where should I be looking or what should I be looking for because obviously there is a problem.

Advise
0
Comment
Question by:tech911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
13 Comments
 
LVL 9

Expert Comment

by:David Carr
ID: 39886345
Do you have any spam filtering software in your environment?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886362
Yep,

We have it on our firewall at the head end (where all traffic comes/goes to the internet) and we have Sophos pure message running on our Exchange server.
0
 
LVL 9

Expert Comment

by:David Carr
ID: 39886404
Sophos is usually pretty good at blocking messages after one or two get through and then no more. Look at the firewall logs for SMTP traffic to get the IP Addresses for the messages and then lookup the IP addresses to see where they are located.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 3

Author Comment

by:tech911
ID: 39886571
I'm not sure my firewall has that capability is there another way to see what device is trying to send smtp traffic over port 25 on my network?
0
 
LVL 3

Author Comment

by:tech911
ID: 39886612
In Exchange 2010 what diagnostic setting in the log settings can you set so that the event log will tell you what account(s) are authenticating when sending mail.

In older versions it was Authentication but in Exchange 2010, that option is not present.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 334 total points
ID: 39887040
If the queue is clean and you aren't using a smart host, then your Exchange server is fine. One of the signs of a server being abused is a lot of messages in the queues, because the lists the spammers use of recipients are not clean, or auto generated.

I would suspect the spam is coming from the workstation and is being bounced back in again. You need to look at the firewall to block the port 25 traffic - if it isn't capable of it, then change to a proper firewall, rather than a jumped up router with port blocking features.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39887740
I have set the firewall to only allow outbound messages using SMTP on port 25 from the mail server's IP.

The odd thing is I scanned every machine with the bootable version of MS Defender and still no bugs.

I also ran a network monitor on the traffic and did not see anything going out or trying to go out over port 25.

My only unanswered question is that the CEO has a MAC, its the only machine that I saw a lot of traffic being generated from, but it was UDP traffic not SMTP so I don't "Think" that is the culprit, but its the only idea I have left.

Any thoughts are welcome.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888201
If you have blocked port 25 outbound, then ensure you have logging enabled on that port block. Anything that attempts to send out will then get flagged to you.

Simon.
0
 
LVL 3

Author Comment

by:tech911
ID: 39888459
Simon,

This is where my knowledge is lacking, which is why I have this subscription.

How can I log what traffic is going to  10.0.0.1 on my internal network over port 25?

What tool can I use that will let me monitor traffic going to a specific interface on my internal network?

That is what I need to complete your instructions and I have never really had to do it before, so "be gentle".

Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39888483
The only place is on the firewall. Exactly how I cannot say, because every firewall is different.
Some will have a local log display, others will require a syslog server to be installed on another machine to record the logs.

It isn't traffic to your Exchange server that you are concerned about, it is traffic going through the firewall and being blocked by your rule.

Simon.
0
 
LVL 9

Assisted Solution

by:David Carr
David Carr earned 166 total points
ID: 39889640
You can use wireshark to monitor the network traffic. You get wireshark from http://www.wireshark.org/download.html

The WireShark User Guide is at http://www.wireshark.org/docs/wsug_html_chunked/
0
 
LVL 3

Author Comment

by:tech911
ID: 39898889
It appears we had a workstation on the network that was still compromised, which I have since fixed. We have also ended up on the Chile-DNSRBL which I found strange.

To add more intrigue, I was troubleshooting an issue with a peer at a non-related customer site, and they are on the same Chile-DNSRBL list.

The only way to get off is to have your ISP make a removal request.  Is anyone else "seeing" this out in the wild?  What is causing it?

We are not on any other Blacklist, which is why I find it strange.

Thanks for the help from all who commented.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 334 total points
ID: 39899076
Do you send email to Chile? Never heard of this blacklist and therefore it has to be a minor player. I wouldn't worry about it - they are probably blacklisting everything from outside Chile!

Simon.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question