lappladmin
asked on
how to stop Spam Attack
We use Baracuda Cloud for email security and we use Panda Cloud for exchange to filter spams and viruses as a second level. Once a week we are getting a Spam Attacks. these attacks caused our IPs ended up in the IP reputation block list (RBL). We uses Norton endpoint protection, Malwarebytes to scan our desktops and servers, but didn't not find any issue. According to the internet headers below, which was caught by panda and quarantined in the spams mailbox, My question is how did this email ended up on our server when they are not addressing to our server? I mean these was an obvious spam email that should have caught by the top level (barracuda network) any idea? how can we stop that? Do we have a security breach that spammers bypass our firewall? please help!
Received: from [199.167.147.122] (199.167.147.122) by
my.domain.local (Server IP deleted) with Microsoft SMTP Server id
8.3.389.2; Mon, 15 Jun 2015 14:48:31 -0700
MIME-Version: 1.0
Received: from [224.115.42.85] by outgoing.izimrv.edu with ESMTP; Mon, 15 Jun
2015 21
Message-ID: <9bd61ccc8b6c4ff79c16307c3 961e0ff@ci tibank.com >
X-Originating-IP: [47.75.221.120]
From: USAA <alerts-i8hbrkF@usaa.com>
Subject: [SPAM] Suspicious Account Activity
To: "joannejamieson@msn.com" <joannejamieson@msn.com>
Date: Mon, 15 Jun 2015 17:48:57 -0400
Content-Type: multipart/mixed;
boundary="----=_NextPart_0 00_2EDB_69 8DE2E8.B1A 1F3E3"
Return-Path: alerts-i8hbrkF@usaa.com
X-AntiMalwareExchange-Comm touchRefID : str=0001.0A010201.557F440C .00E7,ss=3 ,sh,re=0.0 00,fgs=0
Received: from [199.167.147.122] (199.167.147.122) by
my.domain.local (Server IP deleted) with Microsoft SMTP Server id
8.3.389.2; Mon, 15 Jun 2015 14:48:31 -0700
MIME-Version: 1.0
Received: from [224.115.42.85] by outgoing.izimrv.edu with ESMTP; Mon, 15 Jun
2015 21
Message-ID: <9bd61ccc8b6c4ff79c16307c3
X-Originating-IP: [47.75.221.120]
From: USAA <alerts-i8hbrkF@usaa.com>
Subject: [SPAM] Suspicious Account Activity
To: "joannejamieson@msn.com" <joannejamieson@msn.com>
Date: Mon, 15 Jun 2015 17:48:57 -0400
Content-Type: multipart/mixed;
boundary="----=_NextPart_0
Return-Path: alerts-i8hbrkF@usaa.com
X-AntiMalwareExchange-Comm
ASKER
Yes our Domain was in the RBL.
What are the method to check the smtp send or receive?
What are the method to check the smtp send or receive?
Which version of Exchange? IIRC In 2010 the path was along the lines of C:\Program Files\Microsoft\Exchange\V 14\ Transport Rules\Logging\SMTPSend & Receive
So it was your domain name and not your IP? Could be someone was spoofing your domain name and the bounced emails found their way back via DNS and the Reply to address?
So it was your domain name and not your IP? Could be someone was spoofing your domain name and the bounced emails found their way back via DNS and the Reply to address?
ASKER
I am sorry I misread your question. It was my IP address got blocked. We have exchange 2007.
Do you have any way of seeing where the SMTP traffic is being generated on your network? (i.e. Egress filtering on the firewall).
I'm thinking that if the traffic is coming from your IP (which is why it is blacklisted)... you may have a compromised host on your network.
The easiest way to detect that is to filter egress traffic. The only device on your network that should be generating SMTP traffic leaving your network is your mail server (with a few exceptions).
Find out what is sending email out... and you can at least isolate the compromised host.
I'm thinking that if the traffic is coming from your IP (which is why it is blacklisted)... you may have a compromised host on your network.
The easiest way to detect that is to filter egress traffic. The only device on your network that should be generating SMTP traffic leaving your network is your mail server (with a few exceptions).
Find out what is sending email out... and you can at least isolate the compromised host.
ASKER
what are the method you can use to capture the smtp traffic and be able to determine the compromised host on our network?
What kind of firewall are you using on your network? Does it include any monitoring or reporting? Filter on the outgoing SMTP traffic to see what is happening
There are other ways of doing it... but you should work within the realm of abilities and resources you have available.
For instance... you could setup a Snort IDS, a Proxy server and a Syslog server. Route all your configurable web traffic thru the proxy... anything outside of the allowed traffic that then goes thru your firewall would be detected and reported back via syslog and would be worth looking at. Gets technical.
If you are not technically minded, you would be better server bringing in an outside party who specializes in this type of thing.
There are other ways of doing it... but you should work within the realm of abilities and resources you have available.
For instance... you could setup a Snort IDS, a Proxy server and a Syslog server. Route all your configurable web traffic thru the proxy... anything outside of the allowed traffic that then goes thru your firewall would be detected and reported back via syslog and would be worth looking at. Gets technical.
If you are not technically minded, you would be better server bringing in an outside party who specializes in this type of thing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sniffer is great at broadcast traffic, not so much with directed traffic and would require a switch in place that allows for port monitoring.
ASKER
Jeff - We have a Cisco ASA5505 Firewall. not sure if this can give us the ability to export the log that was from yesterday.
Could not tell you how as I am not a Cisco guy... BUT it is possible to send Cisco ASA logs to a SYSLOG device and then Parse that.
Here is something off a Cisco board that may help point you in the right direction
https://supportforums.cisco.com/discussion/11749911/set-syslog-server-asa
I personally use the Kiwi Syslog server... the advantage of which is you can configure rules to notify you when a certain pattern is matched (i.e. SMTP traffic not from a specified mail server IP)....
Takes a little tinkering, but you probably should be monitoring what is arriving AND leaving your network.
Here is something off a Cisco board that may help point you in the right direction
https://supportforums.cisco.com/discussion/11749911/set-syslog-server-asa
I personally use the Kiwi Syslog server... the advantage of which is you can configure rules to notify you when a certain pattern is matched (i.e. SMTP traffic not from a specified mail server IP)....
Takes a little tinkering, but you probably should be monitoring what is arriving AND leaving your network.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Simon
1. I am not a Cisco guy. Do you have any guide or instruction to set that up?
2. We do have a dedicated ip for our exchange server.
1. I am not a Cisco guy. Do you have any guide or instruction to set that up?
2. We do have a dedicated ip for our exchange server.
Simon, thanks for so eloquently phrasing what I was thinking. The crux of which is to figure out where the email is coming from.
If the email is coming from the server it will hash out... If it isn't and is coming from another host, it will show itself on the Syslog server.
Hopefully it is easily revealed once he can see what is crossing the threshold of his network.
If the email is coming from the server it will hash out... If it isn't and is coming from another host, it will show itself on the Syslog server.
Hopefully it is easily revealed once he can see what is crossing the threshold of his network.
ASKER
just downloaded the wireshark, not sure how to interpret this log and can anyone give me some of your expert advice about this log.
NOTES: 192.168.1.2 is our mail server internal ip address. Any 64.235.154.0 - 64.235.154.254 range is the Barracuda cloud based solution ip.
"No.","Time","Source","Des tination", "Protocol" ,"Length", "Info"
"208","2.251661000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 72","C: RSET"
"277","3.257089000","192.1 68.1.2","5 0.2.33.153 ","SMTP"," 87","S: 250 2.0.0 Resetting"
"280","3.277567000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 198","C: MAIL FROM:<BestHealthAlerts@hea lthy.healt hycurealer tinfo.us> BODY=7BIT RET=HDRS | RCPT TO:<deleted_user@mydomain. com> NOTIFY=FAILURE"
"288","3.280626000","192.1 68.1.2","5 0.2.33.153 ","SMTP"," 111","S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"407","3.574958000","192.1 68.1.2","5 0.2.33.153 ","SMTP"," 111","[TCP Retransmission] S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"409","3.674384000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 198","[TCP Retransmission] C: MAIL FROM:<BestHealthAlerts@hea lthy.healt hycurealer tinfo.us> BODY=7BIT RET=HDRS | RCPT TO:<deleted_user@mydomain. com> NOTIFY=FAILURE"
"468","4.175004000","192.1 68.1.2","5 0.2.33.153 ","SMTP"," 111","[TCP Retransmission] S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"469","4.194888000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 1434","C: DATA fragment, 1368 bytes"
"470","4.194976000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 1434","C: DATA fragment, 1368 bytes"
"473","4.195513000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 659","C: DATA fragment, 1961 bytes"
"479","4.398909000","192.1 68.1.2","5 0.2.33.153 ","SMTP"," 164","S: 250 2.6.0 <ld81318638018131863-17440 122gcjdele ted_user@m ydomain.co m016p> Queued mail for delivery"
"485","4.622006000","50.2. 33.153","1 92.168.1.2 ","SMTP"," 72","C: DATA fragment, 6 bytes"
"486","4.622238000","192.1 68.1.2","5 0.2.33.153 ","SMTP"," 114","S: 221 2.0.0 Service closing transmission channel"
"3629","77.017272000","192 .168.1.2", "64.235.15 4.109","SM TP","170", "S: 220 mail.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 16 Jun 2015 15:57:52 -0700"
"3631","77.036283000","64. 235.154.10 9","192.16 8.1.2","SM TP","97"," C: EHLO mail14.ess.barracuda.com"
"3632","77.036423000","192 .168.1.2", "64.235.15 4.109","SM TP","324", "S: 250 mail.mydomain.local Hello [64.235.154.109] | 250 SIZE | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 X-ANONYMOUSTLS | 250 AUTH NTLM | 250 X-EXPS GSSAPI NTLM | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING | 250 XEXCH50 | 250 XRDST"
"3634","77.055769000","64. 235.154.10 9","192.16 8.1.2","SM TP","76"," C: STARTTLS"
"3635","77.055857000","192 .168.1.2", "64.235.15 4.109","SM TP","95"," S: 220 2.0.0 SMTP server ready"
"3730","79.637125000","192 .168.1.2", "64.235.15 3.8","SMTP ","170","S : 220 mail.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 16 Jun 2015 15:57:55 -0700"
"3732","79.702001000","64. 235.153.8" ,"192.168. 1.2","SMTP ","96","C: EHLO mail0.ess.barracuda.com"
"3733","79.702283000","192 .168.1.2", "64.235.15 3.8","SMTP ","322","S : 250 mail.mydomain.local Hello [64.235.153.8] | 250 SIZE | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 X-ANONYMOUSTLS | 250 AUTH NTLM | 250 X-EXPS GSSAPI NTLM | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING | 250 XEXCH50 | 250 XRDST"
"3734","79.766432000","64. 235.153.8" ,"192.168. 1.2","SMTP ","76","C: STARTTLS"
"3735","79.766640000","192 .168.1.2", "64.235.15 3.8","SMTP ","95","S: 220 2.0.0 SMTP server ready"
"4015","82.530810000","144 .160.235.1 43","192.1 68.1.2","S MTP","152" ,"S: 220 alph143.prodigy.net ESMTP Sendmail 8.14.4 IN nd2 TLS/8.14.4; Tue, 16 Jun 2015 18:58:27 -0400"
NOTES: 192.168.1.2 is our mail server internal ip address. Any 64.235.154.0 - 64.235.154.254 range is the Barracuda cloud based solution ip.
"No.","Time","Source","Des
"208","2.251661000","50.2.
"277","3.257089000","192.1
"280","3.277567000","50.2.
"288","3.280626000","192.1
"407","3.574958000","192.1
"409","3.674384000","50.2.
"468","4.175004000","192.1
"469","4.194888000","50.2.
"470","4.194976000","50.2.
"473","4.195513000","50.2.
"479","4.398909000","192.1
"485","4.622006000","50.2.
"486","4.622238000","192.1
"3629","77.017272000","192
"3631","77.036283000","64.
"3632","77.036423000","192
"3634","77.055769000","64.
"3635","77.055857000","192
"3730","79.637125000","192
"3732","79.702001000","64.
"3733","79.702283000","192
"3734","79.766432000","64.
"3735","79.766640000","192
"4015","82.530810000","144
I cannot help with Cisco queries. Dropped Cisco years ago. When I did have it, I had support on them - if I wanted anything changed I got Cisco to do it for me.
If you have a dedicated IP address for Exchange and are still getting blacklisted, then I would be checking the NAT is correct - ie so the traffic is coming out on the correct address.
Simon.
If you have a dedicated IP address for Exchange and are still getting blacklisted, then I would be checking the NAT is correct - ie so the traffic is coming out on the correct address.
Simon.
ASKER
Hi GeNeRaL971,
any input on the Wireshark output?
any input on the Wireshark output?
ASKER
Thanks for all the inputs. very useful and we were able to indentify where the issue was.
Have you looked at the logs on your server to determine where this email is coming from? SMTP Send & SMTP Receive logs