Solved

Having trouble locating the source of a spam outbreak in an Exchange 2007 environment... can iPhones be spam devices?

Posted on 2014-07-20
7
349 Views
Last Modified: 2014-08-22
Hello,

I'm the administrator of a school district with 1400+ users.  We have two Exchange 2007 servers (one as the hub/transport, the other hosting the mailboxes), and utilize an onsite Sophos Spam Filtering appliance.  All internal port 25 traffic is routed to the Exchange servers only, the Exchange servers route to the filter, and the filter is the only device that can send port 25 traffic through the firewall.  Our clients are all Windows 7 professional, running Office 2013.  We allow end users to set up mail on iOS devices using OWA.  Remote Windows clients can get to their mailboxes using either OWA or ActiveSync.

Last week one of our users (who hasn't been in the district since mid-June) email accounts began spamming out to the world.  The hub/transport server showed thousands of outbound messages in the queue emanating from her account.  Her district computer was turned off.  We disabled her account, cleared the queues, and began damage control.

I contacted her at home, and found that she accesses school email using her iPhone (OWA connection in the native mail client) and via a personal laptop using OWA through Internet Explorer.  I asked her if she'd run into any virus/malware issues recently, and she stated that her laptop was infected, but she had it in and the problem was resolved by a tech company a couple of weeks ago.  This seemed suspicious, so I asked her to have them take another look.  

The next day the tech company reported that there were no signs of malware on her laptop, nor was there anything in quarantine that might account for the spam.  We were stumped as to the cause of the outbreak, enabled her account again.  We did ask her not to enable mail on her iPhone, but to only utilize OWA on her laptop.  After three days, there has been no sign of spam from her account.

However, later on Friday I was confronted with another district user having a similar issue.  This person was actively working in the district, although scans with SCCM's AV and Sophos' workstation agent found nothing out of the ordinary.  The coincidental note here is that this user, like the first, has her email configured on her iPhone using OWA.  At this point, we've left her account disabled.

I'm stumped here... our Apple tech says that there are still no known viruses for iOS devices (at least that he's aware of).  I'm less convinced, but don't have any information to refute him.

This seems like a standard spambot, but I've not heard of malware being able to use OWA as a transport method for spam.  I always assumed that the malware had to be resident on a workstation with Outlook configured.

Does anyone have any ideas on what might be happening, or on what steps I should take next?  Since the iPhones and laptops in question aren't district devices, I'm prohibited by policy from bringing them in to take a look at them, which is really hampering my investigation.

Any help would be appreciated!

Scott
0
Comment
Question by:meelnah
  • 3
  • 3
7 Comments
 
LVL 19

Assisted Solution

by:Miguel Angel Perez Muñoz
Miguel Angel Perez Muñoz earned 200 total points
Comment Utility
Some users access with rooted (on android) or jailbreaked Apple devices. Since those devices runs software unknow reputation, may causes this spams attacks.
I suggest you start a multiple way investigation:

Ask your affected users about his devices, and try block access to modified devices.
Ask about use of his accounts on public computers or using public internet access.
Start an auditing policy about this mails. Check on transport logs where this emails came from.
Force all users to change password, and set password expiry policy.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 300 total points
Comment Utility
i would not be too sure that viruses do not exist on IOS but that's off topic, since many apps users can install are able to send mail, possibly as bulk, and there is no control whatsoever regarding what people upload to the appstore or download on their devices.

i would never trust a company for saying they removed an infection. from my experience, removing a virus with an anti-virus produces a high chances that another underlying infection is left behind. if the antivirus detected several different viruses, those chances near 100%. actually even a full reinstall is not always enough because of rootkits and other hardware baddies.

also note that their accounts may have been spoofed or breached

---

a first step might be to look at the logs or email headers, or possibly sniff the network to get the IP addresses that send those spam which should give a hint as to which device is infected
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
I've not heard of malware being able to use OWA as a transport method for spam

there is a whole bunch of spambots that do this, end even some use OWA breaches. anyway this is probably irrelevant, as the bot most likely uses the device's configured mail server using internal APIs (be it outlook's or apple's)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:meelnah
Comment Utility
Thanks to you both for  your advice.

We're looking deeper (found another compromised user), and finding that our Exchange management skills aren't what they should be.

At this point, in the Message Tracker on Exchange, I can see a user account began sending a batch of spam at 16:38 on Saturday, sent for about 2 hours, then stopped.  No spam Sunday, then started up again this morning.  This makes me think either the spambot is sending in bunches, or that the compromised device is being turned off and then back on.

Can either of you tell me if there's a way to determine from which IP address the messages are coming from?  I'm trying to determine if the origin is inside the network, or if it's a device outside the network.

Scott
0
 
LVL 1

Author Comment

by:meelnah
Comment Utility
I was able to find some information using the Get-MessageTrackingLog commandlet on our mailbox and hub servers.

It appears that all spam is being routed through our systems using OWA (the ClientType attribute in the 'SourceContext' portion of the return is OWA).

However, I cannot tell if the source machine is inside or outside our network.  

Do either of you have any ideas here?

I'm currently trying to find out if I can trace the traffic through our firewall (a Cisco ASA 5555), but haven't found an easy way to do so just yet.

sm
0
 
LVL 1

Author Comment

by:meelnah
Comment Utility
more info!

We were able to identify the originating IP addresses for the SPAM (as it was being sent to our mail server for transport).  Some were local, but a couple of others were coming from Nigeria, proving that a user's account credentials were compromised.  

We've since reset all account passwords, and the SPAM has stopped, at least for now.

My next (hopefully final) question would be 'How can I prevent this in the future?'  The users are compromising their home systems, and then using OWA to connect to their district mail accounts.  Do either of you have any ideas on how I could protect the systems from this (other than remove remote access to mail?)
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
quite sorry, but simple answer is you can't.

one way to allow external access and effectively limit such problems is to make the users use a VPN or equivalent tunnel when they connect to OWA. at least OWA would not be open to the WAN, so impossible to brute force remotely, and even grabbing a user's password through other means would not produce a working automated attack such as the one you experienced

another way can be to require the users logon to a separate interface before they can use OWA : you would allow OWA access to any IP that logs on the page by adding a rule in a firewall or reverse proxy for example

policies such as frequent password changes and automated detection off brute force attacks will likely proove inefficient.

setting up antispam software with alerts for outgoing detected spam can be very useful
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now