RELAY?? But I fixed it already!..now what? 30

[POSAPAY]

Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter

 

[paddy138]

I have the exact same problem; running Norton on the server.
Ran an online scan from Trend; no virus.
Disconnected the server from the network, flush the queue, restart the IMC; Outbound queue still fills.
We're also seeing that the orignator is <>, along with bluestell...
Set the server to only accept Inbound; queue slowly fills with bluestell, but not <>. (BTW: Disconnected, set to accept Inbound & Outbound, queue fills with both, so it's not an external connection).

If anyone has ANY info on this, please help us. This is the most bizarre thing I've ever seen

 

[rcpis]

We are receiving the same types of emails. Today there were 2,500 emails to send out in the queue. We have employees that need to POP their email and send from home so I have to have the &quot;host and users that authenticate&quot; checked otherwise they can't send emails. I also have &quot;hosts and users with these IP addresses&quot; checked but the table is empty (that's supposed to prevent relaying). The emails just keep coming into the queue. Any help for both of us would be greatly appreciated.

 

[POSAPAY]

I have the same exact reasons why I can't close all connections to the outside. People use IMAP and POP.
I also have the <> empty origination issue on hand as well.

Any ideas on this bluestell??? Does anyone have any track of its origin? I'm guessing it must have an originating network block.. or IP address that we could block.

Regards,
-Peter

 

[POSAPAY]

HELP>>>... it just hit for yesterday 26thousand e-mails getting transferred. Anybody know of a free snoffer or something???

26018 e-mails in one day is a bit too much! HELP!

-Peter

 

[paddy138]

Check your NT accounts, especially Guest. I broke down and called MS on this and they said that is the most logical solution. On the network causing me problems, Guest was enabled (I know I didn't enable it). Disabled that, disabled all dormant accounts, removed and re-added the IMC and low and behold, all was clear. I'm giving it a few hours before I give the final cheer, but I'm pretty confident that was it.

 

[POSAPAY]

I just checked... no guest account.
Also it doesn't seem to show a logon account creating the traffic. Is there a patch?
-p

 

[rcpis]

With regard to the users popping their mail........The reason that we needed the &quot;hosts and clients that successfully authenticate&quot; ticked was so that users could send mail as well as receive it (or so I thought). The more I thought about it, the more I thought this was wrong. So I contacted my users' ISP. The users should be sending SMTP messages via their SMTP server, not our exchange box. With this particular ISP, that has to be setup so they put in a ticket for that. Anyway, what I found when I unticked the &quot;hosts and clients that successfully authenticate&quot; but left ticked the &quot;hosts and clients with these IP addresses&quot;, I would no longer get the SPAM messages. My problem was two fold, I needed my users to be able to send SMTP messages. When I gave them that ability, I was getting SPAM messages as well. Now that I've figured out how they can send mail, I can untick the &quot;hosts and clients that successfully authenticate&quot; and stop the SPAM from coming in. Another note, I did have a guest account activated which I has since disabled. The SPAM is still coming in but not near as much as it was before disabling the guest account.

Thanks to all for the assistance and &quot;sounding boards&quot;.

 

[POSAPAY]

Well, that is a nice solution... but what if the users don't have any alternate SMTP options?

My scenario has become worse...now I'm seeing all random from outside addresses sending e-mails to outside random addresses.

It looks pretty much like a relay to me... but relay test websites, showed it being okay. Telnet tests showed it being okay and safe.
The only change lately, has been an upgrade of McAfee GroupShield4.x to GroupShield5.x
The new GroupShield blocks by subject line nicely.. but this relay/spaming is totally random, and I can't even lock on a sender's IP address, since the headers are completely missing. The most I see out of it, is notifications of failed outbound e-mails coming to the Admin box, with attachments.. that have no headers saved.

Anybody have any ideas? Perhaps run me through what to check for relaying?

I have the first two boxes checked in routing.
Authentication adn specify by IP. Both essential to my clients. Where else can e-mails come through???

This is a bit annoying.. because I go in to the que.. and see over 6000 e-mails in there.. I select all.. delete them.. and now I have 8000 e-mails.. new ones! to delete.

Would Exchange 2000 or.. Exchange 2003 solve this issue perhaps?

HELP!
thx
-peter

 

[vanillawafer]

I am having the same issues. I have over 2000 inbound and outbound message failures in my que, I kind of think that the relay is on for some odd reason, however, I don't know how to fix it.

 

[lfour]

We have the exact same problem. Our Configuration is Win NT sp6a with MS Exchange 5.5 SP 4.
From 10 or maybe 11 of september, the mail server - That is Also Web and Proxy server And PDC - started to have 20000 mails in the queue each day. It seems like there is a proccess that i can't find that sends those mail to bluestell__@_______.__.All Scans for virus where clean .I Think of that because i tried to take the computer out of the LAN and cleal twice the queue but the problem was still there. All the settings in order to ensure open relay attacks are already done and tested.
I Think that maybe a virus or a hacker did that because i see your messages concerning the same problem all started after 11/09/2003.. If anybody have any idear, it will be helpful..

Thanks in Advance..

 

[jklobedanz]

I’m having the same problem. I just found this on the Microshaft site:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-011.asp

This was apparently not well publicized because Microshaft considers the severity to be “low”. I know this wasn’t installed on my server, so I’m giving it a shot.

Hope this helps.


Joe Klobedanz
Network Administrator
Oxford Instruments
600 Milik St.
Carteret NJ 07008

Phone: (732) 850-9387
Fax: (732) 541-1845
Joe.klobedanz@ost.oxinst.com

http://www.Oxford-instruments.com

 

[mapman04]

I've got the same issue. I've tried the above patch with no luck. My problem started September 3rd. Server has not crashed, just gets bombed with the messages stuck in Outbound Queue. Scanned with Trend online and Inoculan locally and nothing found. My firewall log shows lots of traffic on Port 25 but it shows it as FTP instead of SMTP. Also shows the inbound traffic as being received with a valid address. Tried disabling all inactive accounts and restarting the IMC. Made all users shut off PCs at night to see if traffic subsided but that didn't work either.

Thanks,

Mapman04

 

[POSAPAY]

Well, I downloaded that patch, took the server offline.
Deleted all items showing up in the que...and I guess there were more somewhere on the server still saved for future delivery that showed up after deleting everything from all four areas of the QUEUES.
So I had to select all items, delete, refresh... and repeat this like 15 times, until nothing else showed up anymore.
waited about 10-15 minutes.. and a couple more originating from <> showed up.

Weird.. server is physicly disconnected. Where did these come from??

So after clearing those out, I applied the patch, restarted the server, and reattached it to the network(plugged the network cable back in)
.. waited..waited..
and the bluestall stuff started showing up again.

So.. the patch was worthless as far as I could tell unfortunately. Has anyone started an issue ticket with Mocrosoft, or any anti-virus or anti-spam company yet?

My daily e-mails are up from 1500/day to 65000/day it is starting to effect the delivery times of proper e-mails.

thanks,
-Peter

 

[sbass2]

FYI - I'm seeing this issue on an Exchange 2000 SP2 environment at a client site right now. Still trying to dig into where exactly it's coming from. Thus far I've done the following:

NetMon dump on Exchange filtering for TCP/25 traffic. Although I noticed a lot of attempts going out from Exchange to the internet containing BlueStell addresses, I didn't see one occurance of an inbound SMTP connection that contained the BlueStell addressing info. This leads me to believe that the email is coming from inside the network. Perhaps a virus/worm.

Unfortunately, this doesn't leave me with many options for determining where the traffic is coming from because everyone here uses Outlook MAPI therefore all of the mail data is going to be tunneled in RPC which makes it more difficult to analyze the sniffer dumps. I'm going to keep plugging away at it, but thought it would be helpful to pass along this info. If you've found a solution, please post it to the thread so everyone can benefit.

Thanks.

Shawn

 

[glidman]

This bluestell is quite a hard worker!
I use Sybari's Antigen for Exchange with Spam Manager. When I first noticed bluestell in my outbound queue (9/15) I created a spam filter to block any inbound emails whose email address includes bluestell. Since then I catch an email every 5 seconds for about an hour at a clip, then a pause, then another hour of slamming. We need to catch this fool. I'll be analysing my smtp traffic further in hopes of finding the source.

Gene

 

[pmarsala]

We have been getting dumped with the same thing. It appears to be coming in internally because we have blocked smtp incoming traffic. The only way I get it to stop spamming other people is to block the range of IP's it sends to on the outgoing. Any help would be appreciate.

 

[james3838]

Turn your Diagnostic logging to Maximum for MSExchangeIMC -> SMTP Interface Events.

Look at all SMTP Interface Events in the Event logs. Look for both 2010 Events (successful login) for accounts that SHOULD NOT BE AUTHENTICATING as well as 4183 Events (failed login). It appears that what ever this is (virus/hacker/spammer) is using weak password attacks to authenticate against servers.

The Guest account is only one of the accounts that are targeted. Local Admin accounts are also being targeted. There maybe other accounts as well.

Looking at 4183 events will tell you which accounts you need to make sure are either disabled or have strong passwords.
The 2010 events will show which accounts are being currently used to relay mail.

 

[mapman04]

Thanks for the tip james3838. I did just as you suggested and was able to find the account it was using. I disabled it and the messages have appeared to stop!

Regards,

mapman04

 

[MusicManJoe]

Thanks for the tips guys/gals...

I have an IP address linked to some suspecious failed logins (now that I've disabled the weak account). Not sure I should post it here, but it begins 211.158. anyone else? Perhaps this clown can be tracked down? %-(