Link to home
Start Free TrialLog in
Avatar of DP230
DP230Flag for United Kingdom of Great Britain and Northern Ireland

asked on

[Sonicwall ES7000] A flood has been noticed in outbound traffic from user ID

Dear Experts, I got this issue with Dell Sonicwall: 

----------------------------------------------------------------
~~ SonicWALL Email Security Alert (9.0.5.2079) ~~
----------------------------------------------------------------

[Summary: A flood has been noticed in outbound traffic from
        user ID (mallikarjun.k@xxxxxx)]

Details: 
    Host Name: gw.xxxxxx.com
    Description: Number of messages sent from email ID
        (mallikarjun.k@xxxxxxx) in the scheduled
        interval  has exceeded the flood protection
        threshold.

Time Stamp: 
    Local Time: Mon Oct 22 13:00:01 2018
    GMT:        Mon Oct 22 06:00:01 2018

Additional Information: 
    Recommended Action: User's machine may have been affected.
        Please check for zombies.
    Alert Configuration Page: https://gw.xxxxxx.com:443/virus_config.html?bound=1&hopto=virus_config.html%3Fbound%3D1
    General Alert Settings: https://gw.xxxxxx.com:443/settings_monitoring.html?hopto=settings_monitoring.html

Open in new window


The mail server is Exchange 2016 on Win 2012R2, AV is Kaspersky.

We tried:
- Disable this email account
- Reinstall app, format all devices of users which installed email
- Create a rule in Transport settings in ECP to block email from this account

BUT we still receive this notification each 15 mins from the Sonicwall. Can you please suggest?
Avatar of Sajid Shaik M
Sajid Shaik M
Flag of Saudi Arabia image
first of all disconnet that specific machine and monitor...

it seems there are some virus activity flooding which reachin the to Email Security appliance... at out bound.....it's the issue of his pc ..

scan the infected machine completely...

fix the issues before connect it to nnework...

all the best
Avatar of DP230
DP230
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

when I checked the user's mailbox, the sent items are empty, but the Inbox is full of undelivery messages. So, is it possible to someone fake this sender and sent bulk emails to outside?
Avatar of Sajid Shaik M
Sajid Shaik M
Flag of Saudi Arabia image
the email flood is outbound.... so emails are goind inside to out side...

if the flood from outside the e-mail security itself blocks the flood ... and reports will be different...

all the best
Avatar of masnrock
masnrock
Flag of United States of America image
when I checked the user's mailbox, the sent items are empty, but the Inbox is full of undelivery messages.
Did you check the server logs for outbound messages from that account? Their account may have been compromised. Reset the password immediately. Also consider reimaging the user's system.

So, is it possible to someone fake this sender and sent bulk emails to outside?
If that were true, then the faking party is doing it from inside the firewall, which would still be a major red flag. As I cited already, look at the server logs, not the account. Those tracks are harder to cover.

Do you have a RDP server? You may also want to check that. Possible someone managed to brute force their way into someone's account that way (This also becomes a red flag in terms of the safety of your data, because that leaves a door open to ransomware)

You need to do the following:
1) Restrict your firewall rules so that outbound mail can only come from authorized systems (which I assume would be your ESA device). This assumes you haven't already done this.
2) Reset the account in question
3) Check the server logs for your mail server
4) Check the user system itself for any signs of compromise, including a mysteriously installed mail server
5) if #4 holds true, back up and reimage the system (or replace the system and do forensics on the old one in an isolated environment)
6) Check mail server for any signs of compromise
7) Work on user awareness training

You also may want to look into whether you've been getting alerts on other users.
Avatar of DP230
DP230
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

It seems like the open relay was the root cause, but we have to use it since the Dev Team need some accounts for sending email from their ERP internal apps.

Can we just turn off open relay in Exchange 2016, and turn on for some dedicated accounts?
Avatar of masnrock
masnrock
Flag of United States of America image
Can you force authentication? Then you shouldn't need the open relay.
Avatar of DP230
DP230
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

What do you mean of "force authentication"?

The mechanism of the internal app is: it will authenticate with predefined username/password, then send notifications email automatically. It will left nothing in Sent item of the mail account which was used.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.