how to stop Spam Attack

We use Baracuda Cloud for email security and we use Panda Cloud for exchange to filter spams and viruses as a second level. Once a week we are getting a Spam Attacks. these attacks caused our IPs ended up in the IP reputation block list (RBL).  We uses Norton endpoint protection, Malwarebytes to scan our desktops and servers, but didn't not find any issue. According to the internet headers below, which was caught by panda and quarantined in the spams mailbox, My question is how did this email ended up on our server when they are not addressing to our server? I mean these was an obvious spam email that should have caught by the top level (barracuda network) any idea? how can we stop that? Do we have a security breach that spammers bypass our firewall? please help!  

Received: from [199.167.147.122] (199.167.147.122) by
 my.domain.local (Server IP deleted) with Microsoft SMTP Server id
 8.3.389.2; Mon, 15 Jun 2015 14:48:31 -0700
MIME-Version: 1.0
Received: from [224.115.42.85] by outgoing.izimrv.edu with ESMTP; Mon, 15 Jun
 2015 21
Message-ID: <9bd61ccc8b6c4ff79c16307c3961e0ff@citibank.com>
X-Originating-IP: [47.75.221.120]
From: USAA <alerts-i8hbrkF@usaa.com>
Subject: [SPAM] Suspicious Account Activity
To: "joannejamieson@msn.com" <joannejamieson@msn.com>
Date: Mon, 15 Jun 2015 17:48:57 -0400
Content-Type: multipart/mixed;
      boundary="----=_NextPart_000_2EDB_698DE2E8.B1A1F3E3"
Return-Path: alerts-i8hbrkF@usaa.com
X-AntiMalwareExchange-CommtouchRefID: str=0001.0A010201.557F440C.00E7,ss=3,sh,re=0.000,fgs=0
lappladminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff RodgersNetworks & Communications Systems ManagerCommented:
Is it your IP address or Domain Name that is appearing in the RBL's?

Have you looked at the logs on your server to determine where this email is coming from?  SMTP Send & SMTP Receive logs
0
lappladminAuthor Commented:
Yes our Domain was in the RBL.

What are the method to check the smtp send or receive?
0
Jeff RodgersNetworks & Communications Systems ManagerCommented:
Which version of Exchange?  IIRC  In 2010 the path was along the lines of C:\Program Files\Microsoft\Exchange\V14\ Transport Rules\Logging\SMTPSend & Receive  

So it was your domain name and not your IP?   Could be someone was spoofing your domain name and the bounced emails found their way back via DNS and the Reply to address?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lappladminAuthor Commented:
I am sorry I misread your question. It was my IP address got blocked. We have exchange 2007.
0
Jeff RodgersNetworks & Communications Systems ManagerCommented:
Do you have any way of seeing where the SMTP traffic is being generated on your network? (i.e. Egress filtering on the firewall).

I'm thinking that if the traffic is coming from your IP (which is why it is blacklisted)...  you may have a compromised host on your network.

The easiest way to detect that is to filter egress traffic.    The only device on your network that should be generating SMTP traffic leaving your network is your mail server (with a few exceptions).

Find out what is sending email out... and you can at least isolate the compromised host.
0
lappladminAuthor Commented:
what are the method you can use to capture the smtp traffic and be able to determine the compromised host on our network?
0
Jeff RodgersNetworks & Communications Systems ManagerCommented:
What kind of firewall are you using on your network?   Does it include any monitoring or reporting?  Filter on the outgoing SMTP traffic to see what is happening

There are other ways of doing it... but you should work within the realm of abilities and resources you have available.

For instance...  you could setup a Snort IDS, a Proxy server and a Syslog server.  Route all your configurable web traffic thru the proxy...  anything outside of the allowed traffic that then goes thru your firewall would be detected and reported back via syslog and would be worth looking at.    Gets technical.

If you are not technically minded,  you would be better server bringing in an outside party who specializes in this type of thing.
0
GeNeRaL971Commented:
Hi lappladmin

"what are the method you can use to capture the smtp traffic"

You can use a sniffer  

Whireshark :https://www.wireshark.org/

with this you can be able to determine the compromised host on our network
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jeff RodgersNetworks & Communications Systems ManagerCommented:
Sniffer is great at broadcast traffic,  not so much with directed traffic and would require a switch in place that allows for port monitoring.
0
lappladminAuthor Commented:
Jeff - We have a Cisco ASA5505 Firewall. not sure if this can give us the ability to export the log that was from yesterday.
0
Jeff RodgersNetworks & Communications Systems ManagerCommented:
Could not tell you how as I am not a Cisco guy... BUT it is possible to send Cisco ASA logs to a SYSLOG device and then Parse that.

Here is something off a Cisco board that may help point you in the right direction

https://supportforums.cisco.com/discussion/11749911/set-syslog-server-asa

I personally use the Kiwi Syslog server... the advantage of which is you can configure rules to notify you when a certain pattern is matched (i.e.  SMTP traffic not from a specified mail server IP)....

Takes a little tinkering, but you probably should be monitoring what is arriving AND leaving your network.
0
Simon Butler (Sembee)ConsultantCommented:
The easiest way is to block port 25 for everything but the Exchange server, then use syslog (Which is easily configured from the Cisco ASA ) to send the logs for all blocking to a machine you can monitor. The compromised machine will quickly stick out.

If you are using a cloud based solution, then hopefully you are sending your outbound email via them as well? If not, then I would configure the service and server to do that. That will allow your email to continue to flow while you find the culprit.

This is one of the many reasons why I like Exchange to have its own external IP address. If a workstation gets compromised then it doesn't affect the main email server.

Simon.
0
lappladminAuthor Commented:
Simon

1. I am not a Cisco guy. Do you have any guide or instruction to set that up?

2. We do have a dedicated ip for our exchange server.
0
Jeff RodgersNetworks & Communications Systems ManagerCommented:
Simon,  thanks for so eloquently phrasing what I was thinking.   The crux of which is to figure out where the email is coming from.

If the email is coming from the server it will hash out...  If it isn't and is coming from another host, it will show itself on the Syslog server.

Hopefully it is easily revealed once he can see what is crossing the threshold of his network.
0
lappladminAuthor Commented:
just downloaded the wireshark, not sure how to interpret this log and can anyone give me some of your expert advice about this log.

NOTES: 192.168.1.2 is our mail server internal ip address. Any 64.235.154.0 - 64.235.154.254 range is the Barracuda cloud based solution ip.

"No.","Time","Source","Destination","Protocol","Length","Info"
"208","2.251661000","50.2.33.153","192.168.1.2","SMTP","72","C: RSET"
"277","3.257089000","192.168.1.2","50.2.33.153","SMTP","87","S: 250 2.0.0 Resetting"
"280","3.277567000","50.2.33.153","192.168.1.2","SMTP","198","C: MAIL FROM:<BestHealthAlerts@healthy.healthycurealertinfo.us> BODY=7BIT RET=HDRS | RCPT TO:<deleted_user@mydomain.com> NOTIFY=FAILURE"
"288","3.280626000","192.168.1.2","50.2.33.153","SMTP","111","S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"407","3.574958000","192.168.1.2","50.2.33.153","SMTP","111","[TCP Retransmission] S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"409","3.674384000","50.2.33.153","192.168.1.2","SMTP","198","[TCP Retransmission] C: MAIL FROM:<BestHealthAlerts@healthy.healthycurealertinfo.us> BODY=7BIT RET=HDRS | RCPT TO:<deleted_user@mydomain.com> NOTIFY=FAILURE"
"468","4.175004000","192.168.1.2","50.2.33.153","SMTP","111","[TCP Retransmission] S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"469","4.194888000","50.2.33.153","192.168.1.2","SMTP","1434","C: DATA fragment, 1368 bytes"
"470","4.194976000","50.2.33.153","192.168.1.2","SMTP","1434","C: DATA fragment, 1368 bytes"
"473","4.195513000","50.2.33.153","192.168.1.2","SMTP","659","C: DATA fragment, 1961 bytes"
"479","4.398909000","192.168.1.2","50.2.33.153","SMTP","164","S: 250 2.6.0 <ld81318638018131863-17440122gcjdeleted_user@mydomain.com016p> Queued mail for delivery"
"485","4.622006000","50.2.33.153","192.168.1.2","SMTP","72","C: DATA fragment, 6 bytes"
"486","4.622238000","192.168.1.2","50.2.33.153","SMTP","114","S: 221 2.0.0 Service closing transmission channel"
"3629","77.017272000","192.168.1.2","64.235.154.109","SMTP","170","S: 220 mail.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 16 Jun 2015 15:57:52 -0700"
"3631","77.036283000","64.235.154.109","192.168.1.2","SMTP","97","C: EHLO mail14.ess.barracuda.com"
"3632","77.036423000","192.168.1.2","64.235.154.109","SMTP","324","S: 250 mail.mydomain.local Hello [64.235.154.109] | 250 SIZE | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 X-ANONYMOUSTLS | 250 AUTH NTLM | 250 X-EXPS GSSAPI NTLM | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING | 250 XEXCH50 | 250 XRDST"
"3634","77.055769000","64.235.154.109","192.168.1.2","SMTP","76","C: STARTTLS"
"3635","77.055857000","192.168.1.2","64.235.154.109","SMTP","95","S: 220 2.0.0 SMTP server ready"
"3730","79.637125000","192.168.1.2","64.235.153.8","SMTP","170","S: 220 mail.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 16 Jun 2015 15:57:55 -0700"
"3732","79.702001000","64.235.153.8","192.168.1.2","SMTP","96","C: EHLO mail0.ess.barracuda.com"
"3733","79.702283000","192.168.1.2","64.235.153.8","SMTP","322","S: 250 mail.mydomain.local Hello [64.235.153.8] | 250 SIZE | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 X-ANONYMOUSTLS | 250 AUTH NTLM | 250 X-EXPS GSSAPI NTLM | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING | 250 XEXCH50 | 250 XRDST"
"3734","79.766432000","64.235.153.8","192.168.1.2","SMTP","76","C: STARTTLS"
"3735","79.766640000","192.168.1.2","64.235.153.8","SMTP","95","S: 220 2.0.0 SMTP server ready"
"4015","82.530810000","144.160.235.143","192.168.1.2","SMTP","152","S: 220 alph143.prodigy.net ESMTP Sendmail 8.14.4 IN nd2 TLS/8.14.4; Tue, 16 Jun 2015 18:58:27 -0400"
0
Simon Butler (Sembee)ConsultantCommented:
I cannot help with Cisco queries. Dropped Cisco years ago. When I did have it, I had support on them - if I wanted anything changed I got Cisco to do it for me.
If you have a dedicated IP address for Exchange and are still getting blacklisted, then I would be checking the NAT is correct - ie so the traffic is coming out on the correct address.

Simon.
0
lappladminAuthor Commented:
Hi GeNeRaL971,

any input on the Wireshark output?
0
lappladminAuthor Commented:
Thanks for all the inputs. very useful and we were able to indentify where the issue was.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.