Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Spam Attack - Exchange 2010

Avatar of Jer
JerFlag for United States of America asked on
NetworkingExchangeSecurityNetwork SecurityCyber Security
14 Comments1 Solution1126 ViewsLast Modified:

A few days ago, we had an email attack that resulted in hundreds of emails being sent (or attempted to be sent) through our Exchange 2010 server and our ZixGateway secure email appliance.  Fortunately, most emails appear to have been held in queue on your Zix appliance, preventing delivery and allowing us to avoid being blacklisted.  Unfortunately, I'm the only network admin and I was on PTO at the time of the attack.  Even more unfortunate, my company has yet to approve any syslog solution, much less a SIEM product.  So, information available to me is somewhat limited.  The thing that seem to stop the attack was changing the network password of the impacted user.  This really concerns me, as the user is a domain admin.  Anyhow, in the Exchange logs, I have found several examples similar to the following:

2017-04-20T15:42:25.101Z,,[],,EmailServer01,08D46E4C20583FF6;2017-04-20T15:38:52.419Z;0,EmailServer01\Client EmailServer01,SMTP,RECEIVE,7906989,<166B4AF1-5FD1-7A40-8DF5-73A7A49B6C37@domain1.com>,tsummerr@gmail.com,,3265,1,,,Hello tatiana !,user1@domain1.com,user1@domain1.com,06I: NTS: ,Originating,,,,S:FirstForestHop=EmailServer01.domain1.com
2017-04-20T15:42:25.164Z,,EmailServer01,,smarthost.domain1.com,08D46E4C20584263;250 2.0.0 Ok: queued as C2989301D66,Zix Mail Send Connector,SMTP,SEND,7906989,<166B4AF1-5FD1-7A40-8DF5-73A7A49B6C37@domain1.com>,tsummerr@gmail.com,250 2.1.5 Ok,4171,1,,,Hello tatiana !,user1@domain1.com,user1@domain1.com,2017-04-20T15:42:24.493Z;SRV=EmailServer01.domain1.com:TOTAL=0,Originating,,,,
2017-04-20T15:42:26.428Z,,[],,EmailServer01,08D46E4C20583FF6;2017-04-20T15:38:52.419Z;0,EmailServer01\Client EmailServer01,SMTP,RECEIVE,7906990,<243B183E-06D5-F898-4721-CB8FD77FB964@domain1.com>,brinks0610@gmail.com,,3234,1,,,Good day ryan _,user1@domain1.com,user1@domain1.com,06I: NTS: ,Originating,,,,S:FirstForestHop=EmailServer01.domain1.com
2017-04-20T15:42:26.490Z,,EmailServer01,,smarthost.domain1.com,08D46E4C20584265;250 2.0.0 Ok: queued as 1E3FF301D66,Zix Mail Send Connector,SMTP,SEND,7906990,<243B183E-06D5-F898-4721-CB8FD77FB964@domain1.com>,brinks0610@gmail.com,250 2.1.5 Ok,4162,1,,,Good day ryan _,user1@domain1.com,user1@domain1.com,2017-04-20T15:42:25.882Z;SRV=EmailServer01.domain1.com:TOTAL=0,Originating,,,,
2017-04-20T15:42:27.754Z,,[],,EmailServer01,08D46E4C20583FF6;2017-04-20T15:38:52.419Z;0,EmailServer01\Client EmailServer01,SMTP,RECEIVE,7906991,<F8FD26EE-3C0F-E8C2-BF2F-1AC549CC6128@domain1.com>,johannahrodriguez@yahoo.com,,3298,1,,,Hi johannah .,user1@domain1.com,user1@domain1.com,06I: NTS: ,Originating,,,,S:FirstForestHop=EmailServer01.domain1.com
2017-04-20T15:42:27.816Z,,EmailServer01,,smarthost.domain1.com,08D46E4C2058426A;250 2.0.0 Ok: queued as 6E181301D66,Zix Mail Send Connector,SMTP,SEND,7906991,<F8FD26EE-3C0F-E8C2-BF2F-1AC549CC6128@domain1.com>,johannahrodriguez@yahoo.com,250 2.1.5 Ok,4204,1,,,Hi johannah .,user1@domain1.com,user1@domain1.com,2017-04-20T15:42:27.208Z;SRV=EmailServer01.domain1.com:TOTAL=0,Originating,,,,

What I'm trying to figure out is the method of the attack and the source.  We don't allow relaying.  I have very limited firewall (SonicWALL router) logs and no Security logs from any server.  I suspect that this is a relaying attack (from several IP addresses), but it could also be a compromised device within our network.  Unfortunately, without Security logs, it seems pretty tough to confirm much.

As such, I'm hoping that someone out there can help shed some light on what I should do and look for.  I'm not comfortable at all with simply changing a password.

I appreciate any assistance.

Thank you,

Avatar of Adam Brown
Adam BrownFlag of United States of America imageCloud Security Consultant
This problem has been solved!
Unlock 1 Answer and 14 Comments.
See Answers