Exchange 2007 Server sending spam

[njellis]

Exchange 2007 Server is sending spam. I have tried to isolate where the issue is, but cannot figure it out.

Small personal exchange 2007 server with just 4 users on it. Sends/Recieves email for 2 domains.
Xeams for spam filtering, and my VPS for outbound mail.

So mail flow looks as such: Incoming mail -> Xeams -> Exchange 2007 -> VPS (postfix) -> World

Postfix is configured to ONLY relay from the exchange server's IP. (while I still have the issue I simply told postfix to not accept relays from my exchange - which is good because I can watch the reject log for postfix to see it's still happening).

Exchange server ONLY used with Outlook and OWA and Outlook Anywhere. No POP/IMAP/SMTP (except to receive)

I tested "relay status" from tools online and it does not report to be an open relay.

In the exchange log I enabled I get many entries such as this:

0,,1.2.3.4,*,,attempting to connect
1,192.168.1.100:3572,1.2.3.4,+,,
2,192.168.1.100:3572,1.2.3.4,<,220 PcComputerGuy.com ESMTP Postfix (Debian/GNU),
3,192.168.1.100:3572,1.2.3.4,>,EHLO mail.joessite.com,
4,192.168.1.100:3572,1.2.3.4,<,250-PcComputerGuy.com,
5,192.168.1.100:3572,1.2.3.4,<,250-PIPELINING,
6,192.168.1.100:3572,1.2.3.4,<,250-SIZE 10240000,
7,192.168.1.100:3572,1.2.3.4,<,250-ETRN,
8,192.168.1.100:3572,1.2.3.4,<,250-STARTTLS,
9,192.168.1.100:3572,1.2.3.4,<,250-AUTH PLAIN LOGIN,
10,192.168.1.100:3572,1.2.3.4,<,250-ENHANCEDSTATUSCODES,
11,192.168.1.100:3572,1.2.3.4,<,250-8BITMIME,
12,192.168.1.100:3572,1.2.3.4,<,250 DSN,
13,192.168.1.100:3572,1.2.3.4,>,STARTTLS,
14,192.168.1.100:3572,1.2.3.4,<,220 2.0.0 Ready to start TLS,
15,192.168.1.100:3572,1.2.3.4,*,,Sending certificate
16,192.168.1.100:3572,1.2.3.4,*,"CN=mail.joessite.com, C=US",Certificate subject
17,192.168.1.100:3572,1.2.3.4,*,"CN=joessite-PCCG-EXCHANGE-CA, DC=joessite, DC=com",Certificate issuer name
18,192.168.1.100:3572,1.2.3.4,*,13BC2D5E000000000002,Certificate serial number
19,192.168.1.100:3572,1.2.3.4,*,84C575999AF962054EE8B5604043EBC38A661081,Certificate thumbprint
20,192.168.1.100:3572,1.2.3.4,*,mail.joessite.com;autodiscover.joessite.com,Certificate alternate names
21,192.168.1.100:3572,1.2.3.4,*,,Received certificate
22,192.168.1.100:3572,1.2.3.4,*,3259082035820582058280 (cert stuff),Certificate thumbprint
23,192.168.1.100:3572,1.2.3.4,>,EHLO mail.joessite.com,
24,192.168.1.100:3572,1.2.3.4,<,250-PcComputerGuy.com,
25,192.168.1.100:3572,1.2.3.4,<,250-PIPELINING,
26,192.168.1.100:3572,1.2.3.4,<,250-SIZE 10240000,
27,192.168.1.100:3572,1.2.3.4,<,250-ETRN,
28,192.168.1.100:3572,1.2.3.4,<,250-AUTH PLAIN LOGIN,
29,192.168.1.100:3572,1.2.3.4,<,250-ENHANCEDSTATUSCODES,
30,192.168.1.100:3572,1.2.3.4,<,250-8BITMIME,
31,192.168.1.100:3572,1.2.3.4,<,250 DSN,
32,192.168.1.100:3572,1.2.3.4,*,4614,sending message
33,192.168.1.100:3572,1.2.3.4,>,MAIL FROM:<> SIZE=12850,
34,192.168.1.100:3572,1.2.3.4,>,RCPT TO:<GNCGiftforFeedback@value054.approverewardcard.rocks>,
35,192.168.1.100:3572,1.2.3.4,<,250 2.1.0 Ok,
36,192.168.1.100:3572,1.2.3.4,<,554 5.7.1 <GNCGiftforFeedback@value054.approverewardcard.rocks>,
37,192.168.1.100:3572,1.2.3.4,>,QUIT,
38,192.168.1.100:3572,1.2.3.4,<,221 2.0.0 Bye,
39,192.168.1.100:3572,1.2.3.4,-,,Local

How can I lock the server down so only the 4 users in the domain can send mail and no-one else?

Thank you! Dying here having to constantly stop and start postfix but googling isn't getting me what I need.

 

[njellis]

P.S. That is from my exchange send-log.

 

[ShackDaddy]

The send log shows your server sending the mail out. We need to determine how it got the mail in the first place. I would run message tracking and see how that message was initially submitted. I would assume that current rules allow authenticated SMTP senders to connect from anywhere, right? Can you lock down port 25 on your firewall to only accept inbound from Veams? My guess is either of two things:

1. The password on one of those accounts is compromised and a remote sender is authenticating with SMTP and sending the mail, since relay works if authenticated.
2. A MAPI client is compromised and the messages are being submitted through a connected client running Outlook.

Tracking logs will help, since it will show you which IP initiated the connection that handed the spam to the server.

Dave Shackelford
ThirdTier.net

 

[njellis]

Thank you for the reply. I am trying to learn how to generate tracking reports. In the meantime, I did find that spam seems to be coming from email address <> (blank)

Example: 2015-01-24T15:22:54.522Z,Outbound,08D2059320C485A5,33,192.168.1.100:7104,xx.xx.xx.xx,>,MAIL FROM:<> SIZE=18173,

How can we stop exchange from permitting "<>" as a valid "Sender and instead insist that to send it authenticate with existing users?

 

[njellis]

I think I've solved the issue, monitoring then will report back after a few hours.

 

[njellis]

So for anyone else whom might be having the issue, I discovered this:
The problem was unknownJoe@tomwhatever.com would send an email to my server, to an unknown address.. say roger@noonehere.com. They would specify the "reply-to" then to go to the actual spam target. So my server would "bounce" the message as "NDR" (not deliverable), but it seems it would go to the "reply to" address, thereby getting the spam out through our server. At least this is what I think is going on as a non-Email Admin.
I went into the spam filtering and created a rule - when Return-Path contains <> (blank) drop the message. This seemed to stop the spam hitting my linux relay.
In postfix there is a way to say "Check for valid recipient, and if none exists, reject the message" without even getting to the filtering process. I don't know of (or think) there is a way to do this with Exchange 2007 which would be great as it would solve the issue before it even got into the server.

Hope this helps someone in the future.
Cheers!