DP230
asked on
[Sonicwall ES7000] A flood has been noticed in outbound traffic from user ID
Dear Experts, I got this issue with Dell Sonicwall:
The mail server is Exchange 2016 on Win 2012R2, AV is Kaspersky.
We tried:
- Disable this email account
- Reinstall app, format all devices of users which installed email
- Create a rule in Transport settings in ECP to block email from this account
BUT we still receive this notification each 15 mins from the Sonicwall. Can you please suggest?
----------------------------------------------------------------
~~ SonicWALL Email Security Alert (9.0.5.2079) ~~
----------------------------------------------------------------
[Summary: A flood has been noticed in outbound traffic from
user ID (mallikarjun.k@xxxxxx)]
Details:
Host Name: gw.xxxxxx.com
Description: Number of messages sent from email ID
(mallikarjun.k@xxxxxxx) in the scheduled
interval has exceeded the flood protection
threshold.
Time Stamp:
Local Time: Mon Oct 22 13:00:01 2018
GMT: Mon Oct 22 06:00:01 2018
Additional Information:
Recommended Action: User's machine may have been affected.
Please check for zombies.
Alert Configuration Page: https://gw.xxxxxx.com:443/virus_config.html?bound=1&hopto=virus_config.html%3Fbound%3D1
General Alert Settings: https://gw.xxxxxx.com:443/settings_monitoring.html?hopto=settings_monitoring.html
The mail server is Exchange 2016 on Win 2012R2, AV is Kaspersky.
We tried:
- Disable this email account
- Reinstall app, format all devices of users which installed email
- Create a rule in Transport settings in ECP to block email from this account
BUT we still receive this notification each 15 mins from the Sonicwall. Can you please suggest?
ASKER
when I checked the user's mailbox, the sent items are empty, but the Inbox is full of undelivery messages. So, is it possible to someone fake this sender and sent bulk emails to outside?
the email flood is outbound.... so emails are goind inside to out side...
if the flood from outside the e-mail security itself blocks the flood ... and reports will be different...
all the best
if the flood from outside the e-mail security itself blocks the flood ... and reports will be different...
all the best
when I checked the user's mailbox, the sent items are empty, but the Inbox is full of undelivery messages.Did you check the server logs for outbound messages from that account? Their account may have been compromised. Reset the password immediately. Also consider reimaging the user's system.
So, is it possible to someone fake this sender and sent bulk emails to outside?If that were true, then the faking party is doing it from inside the firewall, which would still be a major red flag. As I cited already, look at the server logs, not the account. Those tracks are harder to cover.
Do you have a RDP server? You may also want to check that. Possible someone managed to brute force their way into someone's account that way (This also becomes a red flag in terms of the safety of your data, because that leaves a door open to ransomware)
You need to do the following:
1) Restrict your firewall rules so that outbound mail can only come from authorized systems (which I assume would be your ESA device). This assumes you haven't already done this.
2) Reset the account in question
3) Check the server logs for your mail server
4) Check the user system itself for any signs of compromise, including a mysteriously installed mail server
5) if #4 holds true, back up and reimage the system (or replace the system and do forensics on the old one in an isolated environment)
6) Check mail server for any signs of compromise
7) Work on user awareness training
You also may want to look into whether you've been getting alerts on other users.
ASKER
It seems like the open relay was the root cause, but we have to use it since the Dev Team need some accounts for sending email from their ERP internal apps.
Can we just turn off open relay in Exchange 2016, and turn on for some dedicated accounts?
Can we just turn off open relay in Exchange 2016, and turn on for some dedicated accounts?
Can you force authentication? Then you shouldn't need the open relay.
ASKER
What do you mean of "force authentication"?
The mechanism of the internal app is: it will authenticate with predefined username/password, then send notifications email automatically. It will left nothing in Sent item of the mail account which was used.
The mechanism of the internal app is: it will authenticate with predefined username/password, then send notifications email automatically. It will left nothing in Sent item of the mail account which was used.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
it seems there are some virus activity flooding which reachin the to Email Security appliance... at out bound.....it's the issue of his pc ..
scan the infected machine completely...
fix the issues before connect it to nnework...
all the best