Stop External IP address relaying through Exchange on our Watchguard Firewall

Hi,

We've just found out our 2011 SBS Server has been sending out spam emails by their thousands.  I've checked that there is no open relay in Exchange 2010 (and there isn't) and turned off all PC's on the network but the spam emails keep coming so pretty sure they are coming from the server.  Have virus scanned the server and it seems clean.  I've found that all the spam emails are all coming from the same external IP address.

The network is protected by a Watchguard XTM25 firewall.  My question is can someone please talk a newcomer to Watchguards how to set up a way of blocking these emails coming in from that IP address on port 25?  

Many thanks

Adam
Gavin ReidAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AlanConsultantCommented:
Hi Adam,

Please can you clarify.  You say:

We've just found out our 2011 SBS Server has been sending out spam emails by their thousands.  I've checked that there is no open relay in Exchange 2010 (and there isn't) and turned off all PC's on the network but the spam emails keep coming so pretty sure they are coming from the server.  Have virus scanned the server and it seems clean.  

but also:

I've found that all the spam emails are all coming from the same external IP address.

The first part implies the spam is being generated on your SBS2011, which will be an internal IP address, but the second part implies that the spam is being generated from some external IP address (not your SBS2011).


Please can you help me reconcile the two statements so we know what to look at?

Thanks,

Alan.
0
Mal OsborneAlpha GeekCommented:
Pretty sure that the default setting on an SBS Exchange box is to allow relaying for users who can successfully authenticate. This means that if you have just one idiot user who is too stupid to set a proper password, and a script kiddie guesses it, you will be wildly sending spam.
1
masnrockCommented:
Have you checked to make sure that no accounts have been compromised? Also make sure you didn't leave some random backdoor like RDP.
0
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

RoninCommented:
Enable logging on the outbound traffic and filter by source IP which one uses outbound TCP 25. It's done by either enabling logging on the rule that covers that traffic pattern.

Allowing outbound 25 only from specific IPs on the internal network is one of the best practices.
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/fireware_help_front.html
https://www.watchguard.com/wgrd-help/documentation/xtm
0
Gavin ReidAuthor Commented:
Hi Alan,

The spam emails are in the smtp queue on the exchange server but when you open one from the queue it states that the source of the email was an external IP address, therefore the email is originating externally and going through the Exchange server I guess.

Masnrock and Mal, that's a good point I think I should get everyone to change their password just in case.

Ronin, thanks for your response unfortunately the links you sent don't tell me how to achieve what IO need to do, just take me to the help search. All the results I've found using that earlier were rather vague and unhelpful unfortunately.
0
AlanConsultantCommented:
Hi Adam,

Does that mean that they are 'stuck' in the queue?

Are you able to post the details from an example item (put it in code tags or paste into a txt file and post that - whatever is easiest).

Thanks,

Alan.
0
masnrockCommented:
I'm going to assume that you have an external spam filtering service.

You have a rule allowing inbound SMTP traffic. Open it up, and see its allowed sources. If the answer to that is any, then you need to change it to the IP address block of your spam filtering service. Same holds true for outbound SMTP traffic (which is what Radmin referenced), except you want to restrict the destinations.

These links talk about the Policy Manager, and what to look at within policies:
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/policies/add_policy_c.html
https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/policies/policy_mgr_about_wsm.html
0
AlanConsultantCommented:
Hi Adam,

From what you have posted, it sounds to me that what you are seeing in the queue might be bounce reports and / or read receipts being generated when your users open spam emails.

Since the source email address for spam is nearly always faked, the return emails are getting stuck in your queue as they cannot be delivered.

If so, then all you can really do is:

1) Try to train your users so they open less spam (always a good idea as it can often contain malware too)

2) Periodically (daily, weekly - whatever works for you) delete from the queue those items that cannot be delivered


That should solve your problem as far as it can be solved.

Thanks,

Alan.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AlanConsultantCommented:
Various options and solutions provided.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.