RELAY?? But I fixed it already!..now what? 30

[POSAPAY]

Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter

 

[gbutts]

I have the same problem as Horness. I can receive mail internal/external, but can not send mail externally?
Any advice?

 

[gbutts]

How do I empty to queues with SMTP turned off??

 

[mzenzer]

gbutts, go to the drive that Exchange is installed on, and remember it could be spread throughout multiple drives, then go to \exchsrv\imcdata
In the imcdata folder you will see an In and Out folder. All of my bluestell messages were in my out folder.

 

[gbutts]

Help!! Still can not send external email!!

 

[johndpatriort]

Gbutts,

what server version are your on. What SP?

What are your settings for the virtual SMTP service as far as relaying is concerned. Have you made changes?

 

[Enkhidu]

I ran across this thread when I found a slew of 4183 errors in my App log on my Exchange Server, and decided I needed to find some more info. What I read pretty much confirmed everything I had decided - that this was a concerted, if cursory, effort to authenticate for relay purposes. However, I wanted to share something I found that hadn't been touched on yet:

georgeks, above, rattled off the accounts that are being attacked, and my experience bears this out as well. In addition, my logs are showing - consistently - 23 separate and consecutive attempts per account. This leads me to believe that the same 23 passwords are being attempted over and over again, in the hopes that someone has left that hole open.

I also found that, of the three attempts I saw over the past two weeks, all three came from China, specifically from CHINANET. Two of them were from allocated but not assigned IPs. But one was assigned to an elementary school!

Here's the assigned IP I had trouble with, from codeflux.com's whois tool using whois.apnic.net:

whois '218.7.157.254@whois.apnic.net':
[whois.apnic.net]
% [whois.apnic.net node-1]
% Whois data copyright terms

http://www.apnic.net/db/dbcopyright.html

inetnum: 218.7.157.192 - 218.7.157.255
netname: FOURTH-ELEMENTARY-SCHOOL
descr: Da Qing city department fourth elementary school
country: CN
admin-c: BG63-AP
tech-c: BG63-AP
changed: gaobh@mail.hl.cn 20030610
mnt-by: MAINT-CNCGROUP-HL
status: ASSIGNED NON-PORTABLE
source: APNIC

person: Binghui Gao
nic-hdl: BG63-AP
e-mail: gaobh@mail.hl.cn
address: Communication Corporation Internet Enterprise Division of HLJ
phone: +86-451-2804465
fax-no: +86-451-2804442
country: CN
changed: gaobh@mail.hl.cn 20030221
mnt-by: MAINT-CNCGROUP-HL
source: APNIC

Note: This IP address belongs to a Class C network (up to 28 hosts)


From that, I've got to say that either the hacker/spammer is spoofing IPs or a script-kiddy has gotten hold of the tools originally used.

 

[gbutts]

I found the account that they were using, it was from the 211.158.XXX.XXX IP. But now, I can not change the setting or disable the "test" account, it say that I don't have the priveleges to make changes!!! Please help!

I am running NT4.0 sp6 on exchange 5.5 sp4

 

[johndpatriort]

Use a Domain Admin to over ride the local admin accounts rights and gain access the then local Admin. Next cheeck if your test account is in the admin group. Just my thoughts..

 

[pert]

Hi Guls and Gays
i have readed all the above things and tried all the thing i got no guest account no local administrator account we are runing exchance 5.5 with ISA server. I have done all the things including deleting the IMS my IP has been blocked i am reciving mails from out side but cannot send any thing i also tried event view but no help. But when i talked to my ISP he gave me another Ip it worked for five to six days but now this Ip is also blocked and Que is filed with nearly 20000 pending bluestlle and other . can any body help whould be thankful.

 

[Horness]

Finally traced ours to a \test account, which did not exist in the domain that the email server was located, but did exist in another domain that had trusts setup.

Key points (for us anyway)

- Apply updates
- Change Administrator password
- Delete/Disable any accounts which are not used
- CHECK ALL DOMAINS trusted to the one your email server is located in.
- Block the IP addresses mentioned earlier on your firewall

I'm now going through changing everyone's password, and re-writing the password guidelines.

Thanks everyone.

Horness.

PS: Reason we could not send - our firewall had closed the outgoing SMTP port due to high volumes. Re-opened it, and presto!

 

[johndpatriort]

Congrats Horness

 

[gbutts]

I now have found and fixed the problem. It was a test account on our BDC. I have disabled the account, because we don't need or use it anyway, and cleared the queue. That was at 7:00 pm last night and now 11 hours later all is well.

 

[Fritsk]

First I did the same as johndpatriort wrote on oct 7th.
After that no mail appeared for one day.

This morning it started all over again.
A friend made me a suggestion to look for the local user:
TsInternetUser. We uses Windows 2000 Terminal Server.
This user exists and had no password. So here's what I did:
I gave the Local Administrator, Local Guest and Local TsInternetUser a very strong password and then disabled login for Local Guest and Local TsInternetUser.
(Rightclick on My Computer -> Manage -> Local Users and Groups -> Users. Rightclick -> Properties. Rightclick -> Set Password).
After that the spam/relay stopped. I hope forever.
Let see what tomorrow brings!

 

[DNoice]

I was called to a clients site due to their Outlook clients locking up. The clients were locking up because the server was running out of drive space. The server was out of drive space due to HUNDREDS OF THOUSANDS of bluestell spams in the queues, and over 250,000 (a QUARTER MILLION) non-delivery reports in the Administrators mailbox.

Their Administrator account password was 'password'.

Changed password and spamming stopped. Double-checked all the other accounts (domain AND local) for secure passwords.

This is an Exchange 5.5 SP4 on NT4 SP6a that already had relaying disabled.

Thanks sincerely for this thread.

 

[maxpic]

Take a look at this :

http://www.securiteam.com/windowsntfocus/5QP0G0K7PE.html

There is nothing you can do else closing smtp.

bye

 

[njnetfixer]

I have seen nasty stuff like this before. In Fact 2 Clients have has the same problem.. And they went undetected for DAYS!!!.. Well its a SIMPLE solution and I use the solution for Excessive Spam, Port 25 Attacks Etc...

You have to use some sort of Reliable Spam Gateway Service. that can Filter Mail..We use somebody in PA
. What the service does is Filter Spam and viruses through email. All Mail MX records are sent through a group of Scanning Servers and Delivered to My clients Exchange Server. So what I do on the Router is BLOCK (BY IP Address) ALL port 25 TRAFFIC except for the Scanning Servers..
Its that easy...
MY Mail Servers Essentially have port 25 Shut Down. I only allow the scanning Servers and a Queing server access..

All of your Dsl & T1 router usually have this feature...
Check it out .. Cisco has Access List..

Send me mail if you need Assistance.. The Spam Server is about 2.25/email... so for 50 emails you pay about $115 month but your protect from SPAM,Viruses, other attacks, etc.. I makes me sleep at night and I look like a hero...!!
My clients usually need a solution for spam anyway and I didnt have to go crazy finding a product..
The other neat feature of the service is that the Spam get quarrented (spell eek ) to end user Viewing...

Frank
njnetfixer@aol.com

 

[ibombnmap]

Ok, I have the same issue and this is where i tracked down the last instance of this bluestell_@ crap. I have the same issue and have locked the server down, and have the same prob. I will continue reading to find an answer, but if anyone cares or if anyone knows any good DOS attacks. All of the info for this spammer is below. I am more than happy to assist in knocking out this a@*holes spamming campaign. email me: michael@reconnectsystems.com if you are interested in taking out his server with me.


Enjoy.....

michael

//Info follows//

tolast55.com


tolast55.com resolves to 61.144.129.128

http://www.tolast55.com

resolves to 61.144.129.128



whois -h magic tolast55.com
tolast55.com is registered with XIN NET CORP. - redirecting to whois.paycenter.com.cn

whois -h whois.paycenter.com.cn tolast55.com
The Data in Paycenter's WHOIS database is provided by Paycenter
for information purposes, and to assist persons in obtaining
information about or related to a domain name registration
record.
Paycenter does not guarantee its accuracy. By submitting
a WHOIS query, you agree that you will use this Data only
for lawful purposes and that, under no circumstances will
you use this Data to:
(1) allow, enable, or otherwise support the transmission
of mass unsolicited, commercial advertising or solicitations
via e-mail (spam); or
(2) enable high volume, automated, electronic processes that
apply to Paycenter or its systems.
Paycenter reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

Domain Name:tolast55.com


Registrant:
guang an
120 ma shi ti road
638000



Administrative Contact:
guang an
guang an
120 ma shi ti road
guang an Sichuan 638000
China
tel: 86 0826 2342570
fax: 86 0826 2342570
bingwued3@yahoo.com.cn

Technical Contact:
guang an
guang an
120 ma shi ti road
guang an Sichuan 638000
China
tel: 86 0826 2342570
fax: 86 0826 2342570
bingwued3@yahoo.com.cn

Billing Contact:
guang an
guang an
120 ma shi ti road
guang an Sichuan 638000
China
tel: 86 0826 2342570
fax: 86 0826 2342570
bingwued3@yahoo.com.cn

Registration Date: 2003-09-29
Update Date: 2003-09-29
Expiration Date: 2004-09-29

Primary DNS: ns0.nameicq.com 218.22.13.23
Secondary DNS: ns1.nameicq.com 219.153.0.212





traceroute tolast55.com


tolast55.com resolves to 61.144.129.128

Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.

3 130.152.180.21 6.264 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
4 38.118.132.97 8.969 ms DNS error [AS174] Performance Systems International, Inc
5 66.28.4.201 147.091 ms p15-1.core01.lax01.atlas.cogentco.com (DNS error)
6 154.54.2.214 3.413 ms p2-0.pr01.lax05.atlas.psi.net (DNS error)
7 154.54.10.198 7.343 ms chinatelecom.lax05.atlas.psi.net (DNS error)
8 202.97.51.193 151.553 ms DNS error
9 202.97.33.153 147.733 ms DNS error
10 61.140.0.22 146.080 ms POS8-0-R1-C-GZ-A.gd.cn.net
11 61.140.1.2 145.660 ms DNS error
12 61.144.8.18 290.087 ms DNS error
13 218.19.176.11 147.458 ms DNS error [AS4813] GUANGDONG PROVINCE BACKBONE NETWORK
14 61.144.129.128 237.623 ms DNS error
15 61.144.129.128 219.633 ms DNS error



Sam Spade Home © Contact Change Skin Search

 

[Fritsk]

Still clean after 5 days!

He's only still trying because I had last weekend 659 attempts: 4183 Events failed login in my application log.
The accounts used are: \administrator, \abc, \data, \server, \backup, \www, \web, \master, \test, \root, \admin and \webmaster.

So beware!

 

[treyp]

I have tried many of the tips here and nothing seems to stop the queue from filling up. I am using NT Server 4 with service pack 6 and Exchange 5.5 SP 4. The queue fills up even when the server is disconnected from the network. We've installed all the patches and renamed the accounts on the network to no avail. Any help on this would be wonderful.

 

[2nerz]

Hey Everyone,

I've seen this clown as well. All the account rules are correct. That's always a must in administration! With Exchange5.5 if you have not tried this open> IMS > Routing >
Set to > re-route Incoming SMTP to your local domain > Edit > should be set to Inbound as well.

Next be sure to add any conflicting domains to your routing restrictions table > Specify the hosts and clients who can NEVER route mail. This keeps the fools from ever comming back from that given network.

Setup your routing restrictions in a way the makes sense to your local network. For example, in the 1st section add your local domain internal address space to make sure that all your users can safely email outbound.
Usually you would select the check box for hosts and clients who succesfully authenticate.

Next, Get a progam such as AY-Spy to keep track of any suspect items in your que. When one is found simply look at the details of that qued relay, and slap it into the AY-Spy
program to see where it takes you. Hopefully you'll get the IP address of the culprit, Or a Domain where it's comming from. If you cannot find out the IP address, maybe you can add the NS server that the Domain is using. Next once an IP is found, simply add that IP to the Restricted routing table mentioned above. There done after that! No exceptions.

If by chance, you are one of the users who sees more ques after you've removed your server from your network, it is possible that the intruder created his/her own account that may be emmbedded within an existing Exchange mail user. Sounds crazy but it is true. If so, then you would need to
remove each users SMTP mail address one at a time until the
smap stops. once you've found the correct account simply remove that account and create a new SMTP email address for that user. I know it sucks, but it will work. However, once you find the user account responsible, if it's not the admin on the server itself, you will need to completely clean that machine of the virus causing the continued outboud emails.

Others from above are correct as well, such as Kiver! Thanks! Also keep a close watch on your applications log in the event viewer, It's the best way to see all the activity on your server. Remember you MUST have the diagnostic logging set to maximum for your given item to watch.

Hope any of this helps!

Thanks Everyone.

2nerZ