RELAY?? But I fixed it already!..now what? 30

[POSAPAY]

Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter

 

[pmarsala]

I am using Exchange 2003, and I can find the Diagnostic Logging screen, but the options are different. Does anyone know which option I need to set to maximum?

 

[glidman]

James3838 is right. It is a compromise on weak local account passwords. Change your local Administrator password, diasable guest, etc to fix the problem!

Glidman

 

[peopleperson88]

James3838, your idea works on an Exchange 5.5 system, but do you know the MSExchangeIMC equivilant in Exchange 2000?

 

[crumpledstars]

I think I found one of the companies responsible, they should be blacklisted:

BLUE STEEL:
Phone: 85 230158569
Fax: 85 230158571

If anyone has time, do your best to destroy them.

And a note, you have to be at SP4 on Exchange 5.5 to apply the patch mentioned above. From what I've read about this though, it isn't supposed to help much.

 

[tahoe2]

"Turn your Diagnostic logging to Maximum for MSExchangeIMC -> SMTP Interface Events."

OK, I give. How do I do this please? I'm new to administering Exchange and all help is appreciated!

Thanks!

Corie

 

[peopleperson88]

pmarsala,

I've determined the equivilant for Exchange 2000 to be MSExchangeTransport then choose SMTP. It might be the same for 2003. Give it a try.

 

[tahoe2]

Also, will it mess stuff up if I remove the group 'GUESTS'?
I have already disabled the user guest account, but the group includes the IUSR_servername and IWAM_servername accounts.
Is this necessary, or just a hole that hackers can exploit?

Thanks!

Corie

 

[james3838]

Exact steps for Exchange 5.5:

Start->Programs->Microsoft Exchange->Microsoft Exchange Administrator
Connect to your Org
Find your internet facing server
Select its properties (either select it and type <alt><enter> or hit the property button)
Select the Diagnostics Logging Tab
Select MSExchangeIMC
Select SMTP Interface Events
Change Logging Level to Maximum
Hit Apply
Wait for new messages to come in (it will only log starting from when you increased logging)
Start->Programs->Administrative Tools->Event Viewer
Select Application Log
Select View menu item
Select Filter
Change Event Source to MSExchangeIMC
Hit OK
Go through logs looking for suspicious 2010's and 4183's.


Exact steps for Exchange 2000/2003:
Start->Programs->Microsoft Exchange->System Manager
Find your internet facing server
Select its properties (either select it and type <alt><enter> or hit the property button)
Select the Diagnostics Logging Tab
Select MSExchangeTransport
(Exchange 2000) Select SMTP Protocol
(Exchange 2003) Select Authentication
Change logging to maximum
Hit Apply
Start->Programs->Administrative Tools->Event Viewer
Select Application Log
Select View menu item
Select Filter
Change source event to MSExchangeTransport
Look for Event ID's 1708 for suspicious successful logons.

 

[KBADMIN]

Hi James3838, I have been following this thread. I tried looking for the user authentication you said. In the 2010 events, it says

&quot;connection from <ip address> successfully authenticated (AUTH LOGIN) as \administrator.&quot;

However, we do not have any user account with the name adminsitrator in our domain!!

We are using Windows NT 4.0 Server. For your info, Our exchange server is the member server in the DOMAIN.

How can I know the exact login procedure used by the spammer?

Regards
KBADMIN

 

[james3838]

KBADMIN -

\administrator is the local machine administrator

Unfortunately I don't have any NT4 boxes around anymore, so I can give you details on how to change the password/disable the local administrator account, but look on the box itself for a local Administrator account.

Hopefully someone else can post exact details.

 

[lfour]

Hi Again..

After I tracked Messages Via The Event Viewer, I Saw that There are no succesfull authenticatoin events (2010) but only some 4183( Logon Failure ). The Ip Addresses From Which The 4183 Events Come are :

219.153.150.231,
219.153.153.201,
218.70.9.109,
218.70.10.129,
211.158.77.11,
218.70.8.5,
218.70.10.97,
219.153.152.44 and
211.158.76.167 so far.

The Account that is trying to authenticate and it seems that it can't is \webmaster.
In the Server, that as i mentioned in my previous mail is Primary Domain Controller,Proxy,Web and Mail server the webmaster account existed 2-3 years ago but i have deleted it because we did not longer needed it.So this is the reason that the spammer could not authenticate.

The Problem still Continues.Today, i found 45000 mails in the Administrator inbox. Those mails are reports for those undeliverable mails sent by the spammer.For The moment , i have stopped the mail service trying to clear the queues and the administrator mailbox.I have applied the patch mentioned above by jklobedanz
(

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-011.asp

)
but the problem still persists. I have Also Already applied another patch delivered by microsoft on 10/09/2003 (

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp

)
but it did not did anything.
Anyway , this is my current status. I will continue to dig in the system trying to find something. If I find anything, you will be the first people to know.

If anyone have any idears, please share it with us. It will be very helpfull.

Thanks in Advance..

 

[lfour]

SOLUTION FOUND !!!!!!!!!!!!!!!!!!!!!!

Dear All..

I Have Find A Temporary Solytion.

From The Routing Restriction Page On The Internet Mail Service Properties,( Internet Mail Service --> Properties -->Routing --> Routing Restrictions )Do The Following :

Last fields In the screen are :
Specify The Hosts And Clients That can NEVER Route Mail.
Add in this section The following Ip's :

219.153.150.231,
219.153.153.201,
218.70.9.109,
218.70.10.129,
211.158.77.11,
218.70.8.5,
218.70.10.97,
219.153.152.44 and
211.158.76.167 with subnet mask 255.255.255.0 to all.


After You Do That, Restart The IMService.
The Administrator Account Will Again Start Receiving Mails but not outbound, only inbound mails that after a few minutes will end.Clear the administrator mailbox for the junk mail and you are ok. The Outbound Queue Will stay empty with no problem.

If The user change ip address and the new one is not listed, then you must just add it to the NEVER ROUTE Mail Mask.

This Is only A temporary solution, worked fine to me for the moment.
I Hope that someone finds a better permanent solution.

Hope It Works for you all..

 

[georgeks]

Hi all i just saw this thread. I had the same problem a couple of months ago.

check out my posts for resolution

thread10-602113 must say that for about a week after i solve the problem i still had many failed authenticated attempts, but as the days passed the attempts slowly stopped

 

[dfilson]

I tried looking for events 2010 and 4183 and none of them show up. Do I not have something configured to display these events?

 

[prask]

Hi..All,

I hv been facing this peoblem since last one week...frequency of incoming mails are very high with sender name bluestell*@*.com/net.

I hv checked my system guest account..its disabled..is there any other way out...Pls.suggest..

Thanks in Advance..

Best Regards

 

[sbass2]

All.

Solved issue at the client site I was at. James3838 was right on with the diagnostic assistance. In our particular scenario it was the local admin account that was being used. However, I'd like to make everyone aware that the local admin account on the Exchange server in my client's environment had a very complex password. I know for a fact because I had run the Baseline Security Analyzer against it a few weeks back and it never complained about a weak or blank password. Plus the net admin there told me it was a complex password. Which brings me to my next thing, how did someone get that password/set that password. The only thing I can think of is there was a code exploit published around Sept 11, 2003 for the MS03-039 security bulletin (read info at

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

- FYI this is the second RPC vulnerability/blaster patch). Anyway, the exploit is capable of creating a local admin account. Since the use of the Exchange server as a SPAM relay was using local Administrator in this case, I have to wonder if the machine was compromised with something due to the MS03-039 patch not being on the server yet. (I know, I know - it should have been on there already but I'm only at this client site once a week so I have limited time to enact server changes, especially ones that require server reboots). Anyway, we're applying MS03-039's patch now, but I STRONGLY urge anyone out there who is experiencing the bluestell issue to ensure they've patched ALL vulnerable servers AND workstations with MS03-039 as well as renamed all Admin/Guest accounts and reset passwords. Keep in mind that if Exchange is set to allow authenticated users to relay then ANY workstation or server on your network is capable of relaying this SPAM through your Exchange server. Good luck all. FYI - the patch requires a reboot to be effective, don't forget!

Shawn

 

[peopleperson88]

I fixed the problem and here is what I did.

First I did what James3838 suggested withthe SMTP connection and the event view. I didn't get any events to pop up....so..

Through Group Policy I implemented the Password Complexity Requirement on all users. Then forced each user to change the their password.

After about 20 minutes, the emails stoped.

When I walked in this morning I was receiving and sending about 4000 messages every minute and had 1096 connections in the queue.

After I performed the Password change. It has been running for 4 hours and I have only hav about 10 connnection in the queue and my network speed has increases 10X. Even though I couldn't find the exact culprit changing the passwords fixed the issue.

 

[tahoe2]

Same here, when I checked the event log after enabling SMTP logging, I found that it was the CFO's account that was getting hit. I made him change the password on his account and so far, no more attacks.
I also added the list of IP's to the 'never route' table, and added the fix from MS.

Thanks again!

Corie

 

[POSAPAY]

Hey All,

THANKS TO EVERYONE, it finally stopped!

Steps I took:

1) installed all recent patches
2) Maximized the logging, and looked, and found couple of odd user IDs.
3) deleted all unnecessary user login IDs
4) changed Administrator password (letters + numbers)

I also had to change the password for a few services in the services control panel, that use Administrator as the logon.
Services include: SQL server, Exchange server and each of its services, McAfee GroupShield and its services(like 5 different services)

Did this around 1am, so it wouldn't disrupt anyone.
Rebooted the boxes, forced a Domain Syncronization.

now it is 11am, and last night the queue had like 2000 e-mails in it.. now it is 4.

once again THANKS TO EVERYONE!
-Peter

 

[peopleperson88]

Here is what the the culprit looked like for me.

Come to find out it was an administrator account on a TRUSTED domain. Then perhaps it should be TRUSTED if they put their administrator password as &quot;password&quot;. What were they thinking.


--------------------------


Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 9/18/2003
Time: 9:37:24 AM
User: N/A
Computer: <SERVER>
Description:
SMTP Authentication was performed successfully with client &quot;exceeded&quot;. The authentication method was &quot;LOGIN&quot; and the username was &quot;<DOMAIN>\<USER>&quot;.