Having trouble locating the source of a spam outbreak in an Exchange 2007 environment... can iPhones be spam devices?
Hello,
I'm the administrator of a school district with 1400+ users. We have two Exchange 2007 servers (one as the hub/transport, the other hosting the mailboxes), and utilize an onsite Sophos Spam Filtering appliance. All internal port 25 traffic is routed to the Exchange servers only, the Exchange servers route to the filter, and the filter is the only device that can send port 25 traffic through the firewall. Our clients are all Windows 7 professional, running Office 2013. We allow end users to set up mail on iOS devices using OWA. Remote Windows clients can get to their mailboxes using either OWA or ActiveSync.
Last week one of our users (who hasn't been in the district since mid-June) email accounts began spamming out to the world. The hub/transport server showed thousands of outbound messages in the queue emanating from her account. Her district computer was turned off. We disabled her account, cleared the queues, and began damage control.
I contacted her at home, and found that she accesses school email using her iPhone (OWA connection in the native mail client) and via a personal laptop using OWA through Internet Explorer. I asked her if she'd run into any virus/malware issues recently, and she stated that her laptop was infected, but she had it in and the problem was resolved by a tech company a couple of weeks ago. This seemed suspicious, so I asked her to have them take another look.
The next day the tech company reported that there were no signs of malware on her laptop, nor was there anything in quarantine that might account for the spam. We were stumped as to the cause of the outbreak, enabled her account again. We did ask her not to enable mail on her iPhone, but to only utilize OWA on her laptop. After three days, there has been no sign of spam from her account.
However, later on Friday I was confronted with another district user having a similar issue. This person was actively working in the district, although scans with SCCM's AV and Sophos' workstation agent found nothing out of the ordinary. The coincidental note here is that this user, like the first, has her email configured on her iPhone using OWA. At this point, we've left her account disabled.
I'm stumped here... our Apple tech says that there are still no known viruses for iOS devices (at least that he's aware of). I'm less convinced, but don't have any information to refute him.
This seems like a standard spambot, but I've not heard of malware being able to use OWA as a transport method for spam. I always assumed that the malware had to be resident on a workstation with Outlook configured.
Does anyone have any ideas on what might be happening, or on what steps I should take next? Since the iPhones and laptops in question aren't district devices, I'm prohibited by policy from bringing them in to take a look at them, which is really hampering my investigation.
Any help would be appreciated!
Scott
I'm the administrator of a school district with 1400+ users. We have two Exchange 2007 servers (one as the hub/transport, the other hosting the mailboxes), and utilize an onsite Sophos Spam Filtering appliance. All internal port 25 traffic is routed to the Exchange servers only, the Exchange servers route to the filter, and the filter is the only device that can send port 25 traffic through the firewall. Our clients are all Windows 7 professional, running Office 2013. We allow end users to set up mail on iOS devices using OWA. Remote Windows clients can get to their mailboxes using either OWA or ActiveSync.
Last week one of our users (who hasn't been in the district since mid-June) email accounts began spamming out to the world. The hub/transport server showed thousands of outbound messages in the queue emanating from her account. Her district computer was turned off. We disabled her account, cleared the queues, and began damage control.
I contacted her at home, and found that she accesses school email using her iPhone (OWA connection in the native mail client) and via a personal laptop using OWA through Internet Explorer. I asked her if she'd run into any virus/malware issues recently, and she stated that her laptop was infected, but she had it in and the problem was resolved by a tech company a couple of weeks ago. This seemed suspicious, so I asked her to have them take another look.
The next day the tech company reported that there were no signs of malware on her laptop, nor was there anything in quarantine that might account for the spam. We were stumped as to the cause of the outbreak, enabled her account again. We did ask her not to enable mail on her iPhone, but to only utilize OWA on her laptop. After three days, there has been no sign of spam from her account.
However, later on Friday I was confronted with another district user having a similar issue. This person was actively working in the district, although scans with SCCM's AV and Sophos' workstation agent found nothing out of the ordinary. The coincidental note here is that this user, like the first, has her email configured on her iPhone using OWA. At this point, we've left her account disabled.
I'm stumped here... our Apple tech says that there are still no known viruses for iOS devices (at least that he's aware of). I'm less convinced, but don't have any information to refute him.
This seems like a standard spambot, but I've not heard of malware being able to use OWA as a transport method for spam. I always assumed that the malware had to be resident on a workstation with Outlook configured.
Does anyone have any ideas on what might be happening, or on what steps I should take next? Since the iPhones and laptops in question aren't district devices, I'm prohibited by policy from bringing them in to take a look at them, which is really hampering my investigation.
Any help would be appreciated!
Scott
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to you both for your advice.
We're looking deeper (found another compromised user), and finding that our Exchange management skills aren't what they should be.
At this point, in the Message Tracker on Exchange, I can see a user account began sending a batch of spam at 16:38 on Saturday, sent for about 2 hours, then stopped. No spam Sunday, then started up again this morning. This makes me think either the spambot is sending in bunches, or that the compromised device is being turned off and then back on.
Can either of you tell me if there's a way to determine from which IP address the messages are coming from? I'm trying to determine if the origin is inside the network, or if it's a device outside the network.
Scott
We're looking deeper (found another compromised user), and finding that our Exchange management skills aren't what they should be.
At this point, in the Message Tracker on Exchange, I can see a user account began sending a batch of spam at 16:38 on Saturday, sent for about 2 hours, then stopped. No spam Sunday, then started up again this morning. This makes me think either the spambot is sending in bunches, or that the compromised device is being turned off and then back on.
Can either of you tell me if there's a way to determine from which IP address the messages are coming from? I'm trying to determine if the origin is inside the network, or if it's a device outside the network.
Scott
ASKER
I was able to find some information using the Get-MessageTrackingLog commandlet on our mailbox and hub servers.
It appears that all spam is being routed through our systems using OWA (the ClientType attribute in the 'SourceContext' portion of the return is OWA).
However, I cannot tell if the source machine is inside or outside our network.
Do either of you have any ideas here?
I'm currently trying to find out if I can trace the traffic through our firewall (a Cisco ASA 5555), but haven't found an easy way to do so just yet.
sm
It appears that all spam is being routed through our systems using OWA (the ClientType attribute in the 'SourceContext' portion of the return is OWA).
However, I cannot tell if the source machine is inside or outside our network.
Do either of you have any ideas here?
I'm currently trying to find out if I can trace the traffic through our firewall (a Cisco ASA 5555), but haven't found an easy way to do so just yet.
sm
ASKER
more info!
We were able to identify the originating IP addresses for the SPAM (as it was being sent to our mail server for transport). Some were local, but a couple of others were coming from Nigeria, proving that a user's account credentials were compromised.
We've since reset all account passwords, and the SPAM has stopped, at least for now.
My next (hopefully final) question would be 'How can I prevent this in the future?' The users are compromising their home systems, and then using OWA to connect to their district mail accounts. Do either of you have any ideas on how I could protect the systems from this (other than remove remote access to mail?)
We were able to identify the originating IP addresses for the SPAM (as it was being sent to our mail server for transport). Some were local, but a couple of others were coming from Nigeria, proving that a user's account credentials were compromised.
We've since reset all account passwords, and the SPAM has stopped, at least for now.
My next (hopefully final) question would be 'How can I prevent this in the future?' The users are compromising their home systems, and then using OWA to connect to their district mail accounts. Do either of you have any ideas on how I could protect the systems from this (other than remove remote access to mail?)
quite sorry, but simple answer is you can't.
one way to allow external access and effectively limit such problems is to make the users use a VPN or equivalent tunnel when they connect to OWA. at least OWA would not be open to the WAN, so impossible to brute force remotely, and even grabbing a user's password through other means would not produce a working automated attack such as the one you experienced
another way can be to require the users logon to a separate interface before they can use OWA : you would allow OWA access to any IP that logs on the page by adding a rule in a firewall or reverse proxy for example
policies such as frequent password changes and automated detection off brute force attacks will likely proove inefficient.
setting up antispam software with alerts for outgoing detected spam can be very useful
one way to allow external access and effectively limit such problems is to make the users use a VPN or equivalent tunnel when they connect to OWA. at least OWA would not be open to the WAN, so impossible to brute force remotely, and even grabbing a user's password through other means would not produce a working automated attack such as the one you experienced
another way can be to require the users logon to a separate interface before they can use OWA : you would allow OWA access to any IP that logs on the page by adding a rule in a firewall or reverse proxy for example
policies such as frequent password changes and automated detection off brute force attacks will likely proove inefficient.
setting up antispam software with alerts for outgoing detected spam can be very useful
there is a whole bunch of spambots that do this, end even some use OWA breaches. anyway this is probably irrelevant, as the bot most likely uses the device's configured mail server using internal APIs (be it outlook's or apple's)