Exchange Server 2007 relaying

[no2broady]

He everyone,

I have a client with an exchange 2007 server install. I have used various relay testing mechanisms and they all report the system does not support relaying. The problem is that the server is relaying, mail is coming from an external IP. Have any of you found this possible before?

Thanks for your help.

No2broady

 

[ShackDaddy]

It is probably an authenticated relay, meaning one of your AD accounts had a very easy password and now email is being relayed using those credentials. In that scenario, your tests would report that no relaying was possible, but relaying could still be happening. If you look at your Transport logs, you should be able to see the inbound SMTP traffic and see which account is being used to relay.

Dave Shackelford
ThirdTier.net

 

[no2broady]

Hi Dave,

I did begin to think that, but when I was looking at the mail items sat in the queue the source was from an external IP. If a user has authenticated (genuine or hacked) would the mail still not look like it's come from a local connection as OWA and active sync does?

The bouts of relaying are not constant and seem to be running through small lists of emails. I have already made sure that the system is 100% patched. I am tempted to force password changes onto all the users to see if your advice works.

Thanks for the response. Much appreciated.

 

[ShackDaddy]

Nope, it would not come from a local connection if it's authenticated SMTP--the source IP could be anywhere, but you will also see the name of the user authenticating in the logs. Beyond that, if you know the times that the emails started being sent on one particular day, you could look at the security log on the server and find an authentication entry there that maps a user name and the same remote IP that you see in your SMTP logs.

I would look at your user accounts that have generic names: info, sales, office, etc. Often those are the ones most easily hacked, and I've seen several networks in which the passwords were the same as the username!

Dave Shackelford
ThirdTier.net

 

[no2broady]

Hi Dave,

Could you tell me which logs the authenticating users would show in, I've been trawling logs for a while now and can't see any user name showing up in them?

Here's a sample of the send connector SMTP log. The address cstmscares@amazons.ca comes up on all the emails as sender, should exchange not deny sending mail from this address based on relaying being disabled?

Thanks for your help.

2014-03-06T11:11:59.065Z,To Internet,08D10594E0D3C7E6,29,192.168.10.8:7523,142.239.254.30:25,<,250 Sender <cstmscares@amazons.ca> OK,
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,25,192.168.10.8:7529,64.12.91.196:25,<,250-mtaig-mab02.mx.aol.com,
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,26,192.168.10.8:7529,64.12.91.196:25,<,250 DSN,
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,27,192.168.10.8:7529,64.12.91.196:25,*,60968,sending message
2014-03-06T11:11:59.096Z,To Internet,08D10594E0D3C7CA,28,192.168.10.8:7529,64.12.91.196:25,>,MAIL FROM:<cstmscares@amazons.ca>,
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E5,16,192.168.10.8:7522,24.246.104.108:25,<,"420 deferred due to suspect content, please try again later",
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E5,17,192.168.10.8:7522,24.246.104.108:25,>,QUIT,
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E7,14,192.168.10.8:7524,107.14.73.70:25,<,221 2.3.0 dnvrco-iedge06 closing connection,
2014-03-06T11:11:59.112Z,To Internet,08D10594E0D3C7E7,15,192.168.10.8:7524,107.14.73.70:25,-,,Local
2014-03-06T11:11:59.221Z,To Internet,08D10594E0D3C7CA,29,192.168.10.8:7529,64.12.91.196:25,<,250 2.1.0 Ok,
2014-03-06T11:11:59.221Z,To Internet,08D10594E0D3C7CA,30,192.168.10.8:7529,64.12.91.196:25,>,RCPT TO:<rchap1237@cs.com>,
2014-03-06T11:11:59.221Z,To Internet,08D10594E0D3C7E5,18,192.168.10.8:7522,24.246.104.108:25,<,"221 barracuda.hawthorne.k12.nj.us Goodbye mail.ourdomain.com, closing connection",

 

[no2broady]

Sorry, I did enable the exchange auditing logs to view the authenticating users, I don't see any correlation between the SMTP logs and the exchange auditing though, any ideas with what could be happening?

No2broady

 

[no2broady]

Okay, I think I may have cracked how they are authenticated. I started going through the receive connector and found the following line.

2014-03-06T11:05:36.657Z,localserver\Default localserver,08D10594E0D3C632,21,192.168.10.8:25,72.22.74.51:55145,*,localdomain\user,authenticated

The thing that is concerning me is we have a standard user account named "user" it's a dormant account we use for some small handheld items in a shop, this account doesn't have an exchange account set up, can this still be used to authenticate?

Thanks again for any help you provide.

No2broady

 

[ShackDaddy]

Yes, that account could be used to authenticate. No mailbox is required.

Dave Shackelford
ThirdTier.net

 

[no2broady]

Wonderful, your post yesterday made me go over the receive connector logs again, thanks for all your help.