Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange server compromised!

Status
Not open for further replies.
Sylvor

Sylvor

IS-IT--Management
Oct 17, 2001
42
0
0
US
Hi,

I have a huge problem here (doesn't everyone?!) - I think my Exchange Server is being used to relay spam messages. I have been blocked by various spam filters (ie: SpamCop) and am having a nightmare trying to find out the source.

In my SMTP message queues I can see lots of messages trying to be sent out to mail@fbi.gov etc from my postmaster. I think this tells me that some spammer is sending email with a 'from address' of mail@fbi.gov via my server to their intended victims. When the recipient address is wrong, my email server generates an NDR and tries to deliver it back to the from address (which is also fake).

My mail server is not set as open relay but I don't really know where to look from here. Some advice is telling me to enable logging on the Exchange Transport service and look for 1708 events (user authentication) in the security log. This is with the thinking that someone has correctly guessed a user account/password on my server and is relaying with authentication. Possible I suppose, but I cannot see any 1708 events yet!

I do not have ANY users connecting remotely, it's a very simple set up - Is there any way I can disable any kind of relaying at all? So only bog-standard locally-connected users can send mail out?

Any advice or advice where to look next would be GREATLY appreciated!

Thanks in advance!
David

Dave Bennett
 
Sort by date Sort by votes
Someone is spamming every possible address in your org with a forged from address of mail@fbi.gov. What you see are NDRs going to fbi.gov for email addresses that don't exist. For more information on this particular spam message:

 
Upvote 0 Downvote
Hi xmsre,

I'm not so sure this is the whole story - I have been getting a lot of those ...@cia.gov / @fbi.gov messages, but they are simply being deleted as they are obviously junk / virus messages.

Am I mis-understanding the messages in my queue in Exchange System Manager? I see messages in the queue FROM my postmaster TO admin@cia.gov (etc), so I assume that this is my mailserver sending an NDR TO admin@cia.gov.
Surely the only reason I would send an NDR to them is if they had originally relayed through my server to send a message (which bounced hence the NDR)?

Is that right?

Many thanks :)
David

Dave Bennett
 
Upvote 0 Downvote
Let's assume a domain test.com and users Jack, jane, and Jill with email addresses Jack@test.com, Jane@test.com, and Jill@test.com.

Now spammer bob comes along and sends a message to every possible email address like this:

a@test.com
b@test.com
c@test.com
...
zzzzzzzz@test.com

every spam message except those to jack jane and jill will generate an ndr to the forged sender. It's called a revers NDR attack.

 
Upvote 0 Downvote
Get a copy of GFi Mail Essentials. Configure it to do AD lookup and drop anything that doesn't match. This is also called directory harvesting.
 
Upvote 0 Downvote
You should try enabling Recipient Filtering on your server. That should drop any mail being sent to non-valid addresses in your organization.

You should also verify that all of your workstations are up to date on their AV. It is possible one of your users is infected and sending outbound mail.

If you have not already installed Exchange SP2 you should do so.

I hope you find this post helpful.

Regards,

Mark
 
Upvote 0 Downvote
Hi everyone,

Thanks for the responses, I have been looking into this more and now I'm almost certain one of my client machines has some spyware on it that is sending out this email.

I have closed off SMTP outbound from any IP except my exchange box (had to set it on for other POP3/SMTP email) and I can see my SMTP 'threads' drop down to 1, sometimes rising to 3... they WERE in the 30's! (Should have checked that ages ago!)

I can now see the firewall denying the smtp traffic from the client machine, time to start spyware hunting!!

If anyone has any experience with spyware sending SMTP, specifically "from" the cia.gov domain, I'd be very grateful of some advice!

Thanks,
David

Dave Bennett
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
581
PatrickRoggers
PatrickRoggers
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
538
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
583
Brent Fletcher
Brent Fletcher
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
545
Wesaf
Wesaf
Island3r
  • Locked
  • Question
MS Exchange 2019 Redundancy
Replies
1
Views
554
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top