troubleshooting Question

Spam Attack - Exchange 2010

Avatar of Jer
JerFlag for United States of America asked on
ExchangeNetworkingSecurityCyber SecurityNetwork Security
14 Comments3 Solutions1126 ViewsLast Modified:
Greetings,

A few days ago, we had an email attack that resulted in hundreds of emails being sent (or attempted to be sent) through our Exchange 2010 server and our ZixGateway secure email appliance.  Fortunately, most emails appear to have been held in queue on your Zix appliance, preventing delivery and allowing us to avoid being blacklisted.  Unfortunately, I'm the only network admin and I was on PTO at the time of the attack.  Even more unfortunate, my company has yet to approve any syslog solution, much less a SIEM product.  So, information available to me is somewhat limited.  The thing that seem to stop the attack was changing the network password of the impacted user.  This really concerns me, as the user is a domain admin.  Anyhow, in the Exchange logs, I have found several examples similar to the following:

2017-04-20T15:42:25.101Z,162.246.25.243,[10.0.0.7],192.168.1.125,EmailServer01,08D46E4C20583FF6;2017-04-20T15:38:52.419Z;0,EmailServer01\Client EmailServer01,SMTP,RECEIVE,7906989,<166B4AF1-5FD1-7A40-8DF5-73A7A49B6C37@domain1.com>,tsummerr@gmail.com,,3265,1,,,Hello tatiana !,user1@domain1.com,user1@domain1.com,06I: NTS: ,Originating,,162.246.25.243,192.168.1.125,S:FirstForestHop=EmailServer01.domain1.com
2017-04-20T15:42:25.164Z,192.168.1.129,EmailServer01,192.168.1.128,smarthost.domain1.com,08D46E4C20584263;250 2.0.0 Ok: queued as C2989301D66,Zix Mail Send Connector,SMTP,SEND,7906989,<166B4AF1-5FD1-7A40-8DF5-73A7A49B6C37@domain1.com>,tsummerr@gmail.com,250 2.1.5 Ok,4171,1,,,Hello tatiana !,user1@domain1.com,user1@domain1.com,2017-04-20T15:42:24.493Z;SRV=EmailServer01.domain1.com:TOTAL=0,Originating,,,,
2017-04-20T15:42:26.428Z,162.246.25.243,[10.0.0.7],192.168.1.125,EmailServer01,08D46E4C20583FF6;2017-04-20T15:38:52.419Z;0,EmailServer01\Client EmailServer01,SMTP,RECEIVE,7906990,<243B183E-06D5-F898-4721-CB8FD77FB964@domain1.com>,brinks0610@gmail.com,,3234,1,,,Good day ryan _,user1@domain1.com,user1@domain1.com,06I: NTS: ,Originating,,162.246.25.243,192.168.1.125,S:FirstForestHop=EmailServer01.domain1.com
2017-04-20T15:42:26.490Z,192.168.1.129,EmailServer01,192.168.1.128,smarthost.domain1.com,08D46E4C20584265;250 2.0.0 Ok: queued as 1E3FF301D66,Zix Mail Send Connector,SMTP,SEND,7906990,<243B183E-06D5-F898-4721-CB8FD77FB964@domain1.com>,brinks0610@gmail.com,250 2.1.5 Ok,4162,1,,,Good day ryan _,user1@domain1.com,user1@domain1.com,2017-04-20T15:42:25.882Z;SRV=EmailServer01.domain1.com:TOTAL=0,Originating,,,,
2017-04-20T15:42:27.754Z,162.246.25.243,[10.0.0.7],192.168.1.125,EmailServer01,08D46E4C20583FF6;2017-04-20T15:38:52.419Z;0,EmailServer01\Client EmailServer01,SMTP,RECEIVE,7906991,<F8FD26EE-3C0F-E8C2-BF2F-1AC549CC6128@domain1.com>,johannahrodriguez@yahoo.com,,3298,1,,,Hi johannah .,user1@domain1.com,user1@domain1.com,06I: NTS: ,Originating,,162.246.25.243,192.168.1.125,S:FirstForestHop=EmailServer01.domain1.com
2017-04-20T15:42:27.816Z,192.168.1.129,EmailServer01,192.168.1.128,smarthost.domain1.com,08D46E4C2058426A;250 2.0.0 Ok: queued as 6E181301D66,Zix Mail Send Connector,SMTP,SEND,7906991,<F8FD26EE-3C0F-E8C2-BF2F-1AC549CC6128@domain1.com>,johannahrodriguez@yahoo.com,250 2.1.5 Ok,4204,1,,,Hi johannah .,user1@domain1.com,user1@domain1.com,2017-04-20T15:42:27.208Z;SRV=EmailServer01.domain1.com:TOTAL=0,Originating,,,,

What I'm trying to figure out is the method of the attack and the source.  We don't allow relaying.  I have very limited firewall (SonicWALL router) logs and no Security logs from any server.  I suspect that this is a relaying attack (from several IP addresses), but it could also be a compromised device within our network.  Unfortunately, without Security logs, it seems pretty tough to confirm much.

As such, I'm hoping that someone out there can help shed some light on what I should do and look for.  I'm not comfortable at all with simply changing a password.

I appreciate any assistance.

Thank you,

Jeremy
ASKER CERTIFIED SOLUTION
Adam Brown
Cloud Security Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Top Expert 2010

The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.

Join our community to see this answer!
Unlock 3 Answers and 14 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 3 Answers and 14 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros