RELAY?? But I fixed it already!..now what? 30

[POSAPAY]

Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter

 

[jlauro]

I want to thank paddy138 for the useful information. We were experiencing the same exact problems, and your suggestions worked for us. We applied the patch from MS that you mentioned, removed and reinstalled the IMC. So far, so good.

We also noticed that our "guest" account was enabled and used for authentication (even though we originaly had it disabled). I hope they find the little S.O.B. that created this one!

 

[johndpatriort]

We have experienced this issue with bluestell as well and I think we have fixed it by changing our passwords. It's been 4 hours and I haven't had any new queues or emails sent. My problem now becomes cleaning up the 800 queues that were created. I am on exchange 2000 sp4. Any quick solutions that I can use to delete all messages in all queues that contain "bluestell*@*.*" would be helpful.

 

[Fritsk]

It seems that my attacks have been stopped for two days now, due to techniques from this site. Thanks!!

I'm not sure but this morning i was hit again instead of bluestell**@* it uses blueinfo**@*
It uses the admin account although this is not excisting.

 

[zack54321]

We had 20-30,000 emails in the last few days. After finally deleting all of the 'Bluestell*' emails, we turned on the logging as suggested. 4 more Bluestell emails came through, but we didn't see any 2010 or 4183 errors. Next, we checked for unused accounts and disabled them. Overnight, about 8 '4183' failed logon errors showed up from 211. & 218. domains. It was trying to use our \test user account which was disabled yesterday. So far, no more Bluestell...Thanks for the help, everyone - Jim

 

[johndpatriort]

I adjusted the expiry dates on our server and this cleared up the queues. Thanks all for posting here.

 

[techjulie]

I was also getting pounded by Bluestell** and Blueinfo**. Turning on the logging per James3838 (9-17) allowed me to pinpoint my weak point.

They were using \administrator, which is the LOCAL Administrator account. I'm on NT so I wasn't able to change it using the UserManager for Domains.

Instead, CRTL+ALT+DEL, choose change password, select administrator for "MACHINE NAME" (not domain) and hope you know the old password. (Try empty field because there's a good chance there wasn't one originally).

Exchange 5.5
NT 4.0 sp6a
All patches
Not open relay
Changed Domain Admin password
Removed/Disabled unneeded users
Have POP users


Kudos to James3838 and Georgeks for the detailed info!!

 

[toolburn]

An additional preventive measure to add to the layers in the previous posts:

1) Create a security group containing just your user accounts that have Exchange mailboxes (and that use your server for auth. SMTP).

2) Set in the Exchange server's local security policy for "Access this computer from the network" to only Admins and the security group created in step 1.

This will help prevent user accounts that we sometimes create and forget about (test and temporary accounts, etc.) from being able to connect to your Exchange server even if the account is compromised.

Also, if you would like some quick ways to search for specific details in Event logs, try the free tool EventComb from Microsoft:

http://www.microsoft.com/technet/tr...curity/prodtech/windows/secwin2k/09detect.asp

(see "Monitoring for Intrusion and Security Events&quot

Or Log Parser:

http://www.microsoft.com/downloads/...familyid=8cde4028-e247-45be-bab9-ac851fc166a4

(there's an update to 2.1 in the IIS 6.0 reskit)

Or if you're more adventuresome, try using some the Query Event Logs scripts from the MS Script Center:

http://www.microsoft.com/technet/tr...ptcenter/scrguide/sas_log_udqz.asp?frame=true

 

[wenhua1306]

techjulie,

To change local administrator password in User Manager for Domain. Use 'Select Domain' from user menu. Enter your local computername instead of domain name. Then you will see all local accounts. Reset the password of local administrator from here.

 

[victory3x3]

Greetings. I have no new tech data to add, as all above is quite thorough, I just wanted to broaden the scope of your reported issue; this mutant spammer isn't just limiting him/herself to hacking Exchange rigs, I had my MDaemon server just pegged by this bottom-feeder "bluestelxxx@varieddomains.com." This guy had run a dictionary attack on the default accounts (that shouldn’t have been there in the first place), and while I had the server set to pop before sending, no relay of foreign domains, and other logical precautions he/she was coming in and authenticating under this compromised account name/password.
In response to a couple of the posts, what happened to in my situation is that this hoser would peg our T-1 in off-hours and fill our remote queue up with thousands of spams of schlock, so that even when I'd bring the server down, "secure" everything, and bring it up the que was still full and start its SMTP'ing. I had to delete who knows how many legit emails to dump this guy, and notify my users to resend critical data.
He/she is also responsible for getting my corp's domain name blacklisted by various authorities and caused me much time and money to get cleared again, and clean up his/her mess.
This person was and coming in from varied IPs and varied ISP accounts, and couldn't be blocked easily.
This guy is obviously not an amateur and does this for a living, maybe even off

http://spamhaus.org/rokso/index.lasso

list. ? I hope threads like this help to nail this looser, as he needs a strong and harsh lesson.

 

[johndpatriort]

Toolburn

I am looking at my event viewer and am not seeing any entries ay all in my security log. Logon attempts seem to be showing in my application log is this normal. How can I get then in my security log?

 

[KiverAtMonarch]

Hi Guys and Girls

One of my clients has just been hit by this nasty piece of work.

They run Win 2k Server and use the latest version of FTPGateOffice (Floosietek Ltd).

This is the only place where quality information exists on bluestell.... But I wanted to post this because unlike anyone else, this company doesn't use Exchange as it's mail client, instead they use Floosietek's FTPGateOffice. So the procedure has been very different for us . . . . and much simpler lol !!

The system crashed yesterday and we quickly realised, from posts on this forum, what we were dealing with.

Luckily, after some head scratching and 90,000 emails later, our fix was quite simple.

It is essential that you all have the latest Microsoft Cumulative Patch as mentioned in the Microsoft Security Bulletin MS03-039 at

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-039.asp.

I know everyone here has emphasised this, but it's true.

Firstly, get this patch installed and bring your server back up.

Then you will need to check the folders within FTPGates file structures.

You should have a folder in the Root of your drive called 'spool'. Within this folder are 2 sub folders called 'Inbox' and 'Internet'.

If you access the 'internet' folder it contains a second sub folder called 'internet'. This second folder contains a backup of all the queued emails. delete the top internet folder and re create it.

Finally, go back up the tree and access the 'Inbox' folder. There is a sub folder here called 'scanfldr'. You will have to delete this folder and re create it, because there is a hidden binary file called NIL.txt that is lurking there.

Word of warning: The deletion process will take a while lol

The servers been running for 3 hours and all is stable . . . . let's wait and see ;-)

Good luck

Tim

 

[Andy888]

*****Spam mails never come back again*****

Dear all,

Thanks for all of you to share the experience to us on this forum. Now I want to share my experience to the one who hates the spam mails.

As far, I have spent a whole week to find out how can I let my Exchange 2000 server to get rid of a thousands spam emails during a day. Originally, I reset the administrator password, disable guest account and changed the smtp port, disable relay function, but still has a lot of spam mails through my server to relay and sent out the spam emails. I doubt MS Exchange 2000 SMTP server relay disable function is work or not. Finally, I found out a solution to get out of spam mails. The steps is as follow:

1. You should have two network cards on your MS exchange 2000 server. (One for inbound mail, one for outbound mail. if outbound network card is internal IP, but it can be routed to another external IP address router for seccond smtp virtal server that is ok.)

2. Go to Start->Programs->Microsoft Exchange->System Manager->administrative group->Server->Protocol->SMTP->Default STMP Virtual server->[right clik]->Perproties->Delivery tag->(change all fields to 1 or 1 MINUTE on delivery page)->click Outbound Connections button to change TCP port to 1.

3. Above 2nd procedure let outside email to deliver to a wrong port if it is a relay email and retry time out for one minute. It it is an organization email, it will deliver to the mailbox.

4. Add Second SMTP Virtural Server by using right click on SMTP object. On General tag, select second IP address network card on your server and change the port number to any other different from 25 (not conflit with any port number) in the Advice button. On Access tag's Authencation button, uncheck Anonymous Access.

5. Above 4th procedure to let internal users can send out emails through second network card.

6. Change all Outlook Express SMTP IP address and Port number setting to match second network card's configuration in order to send out the email.

7. The spam emails will not be dilivered via your STMP email server successfully. They will never come back again.

ANDY (MIS)

 

[Kanshejaz]

WE HAD THE SAME PROBLEM FOR A FEW DAYS. WE MADE ALL GUEST AND ANNONYMOUS USER ACCOUNTS DISABLED ON OUR EXCHANGE SERVERS (5.5). WE ALSO ENABLED SECURTIY LOGGING. IMMEDIATLY THE MESSAGES STOPPED AND WE SAW WHERE THEY WERE TRYING TO USE OUR GUEST ACCOUNT. THIS WILL FIX YOUR PROBLEM.

 

[DColcl]

Fantastic. I too have been hit by this problem. I am currently running WinNT 4.0 and Exchange 5.5 -- ALL with the latest service packs.

Furthermore, I've been following this thread and trying everything to stop this user from gaining access to my computer.

Without know so, some one actually did mention the method for seeing "which" account was gaining access. When I saw the event ID and the message that an IP address was authenticaing, I quickly had the Network Administrator's account password changed. After this attempted failed, I had ALL the accounts that are in the Domain Admin grp (total of 2) passwords changed. Still it wasn't working.... although I did notice that a LARGE amount of emails where being prvented from relaying. However, I still was getting around 4k of emails.

Today I logged on again and saw a post by TechJulie that for somereason (maybe it was the wording) turned on a light bulb. It is NOT the Network admin account but the "LOCAL" admin account. Hello!?!

I changed the password (which was blank!) to the Local Administrator's account and that fixed it!

On my event logs I'm seeing the IP Address and server address of the REAL person that is sending out this spam.

In short: change the password to the LOCAL computer administrator's account! (I apologize to those techies that are reading this email saying "hello....that is what I've been saying!&quot.

Here's the information of the culprit attempting to relay message from my server:
Host122.200-43-88.telecom.net.ar

Thank you to all regarding this issue.

 

[KiverAtMonarch]

Hi All

I have been doing some digging and there are 2 ways that this attack can happen.

Firstly, via SMTP AUTH hijacking as we've discussed. My clients had an email account called 'Test' and it is probable that this account had a weak password and was breached. All unused and test accounts are now disabled and their system is secure.

Secondly, via an email worm known as W32.Frethem.E@mm (or possibly Frethem.F, there are multiple variations of this worm). This worm has been in circulation for almost 1 year and the IP addresses used (from inside China) tie up with those associated with W32.Frethem.

It can be enabled by previewing or opening the email that contains it. This worm affects Win 98, NT, 2k, XP and exploits incorrect MIME header/IFRAME vulnerabilities. These vulnerabilities can be addressed by downloading the latest cumulative patch from Microsoft's web site and most anti virus programs will remove it.

I received an email, on a PC at a different location entirely, on Friday afternoon which was from . . . you guessed it bluestell**@*.*

So previewing or opening anything with 'bluestell' in the email address will also result in the worm becoming embedded on a users system if it is not adequately protected.

I have some guidelines (thanks Symantec) for manually removing the worm should anyone need it.

Tim

 

[bigkav]

Firstly thanks all for help with the authentication vulnerability - seemed to work a treat.

However, I now have a secondary problem (probably not related to the above). I am getting quite alot of messages sent to gobly-de-gook@hotmail or ucn70.tjxpi@foredu.com.cn or shift12@shark007.systes.net and anderson@ip_address / howard@ip_address (where the IP address is the IP address of our gateway) accounts from a blank originator (sender) <>. i.e it appears my server is the sender.

I do not know where these are coming from but I am getting several per minute and know this is a new phoenomina on my server. It seems to be an even greater problem when I have notifications turned on - as I get what appears to be an ever increasing circle of Emails which eventually bring the server to a slow-down. Basically what appears to happen is that the <> sender uses Exchange to send to spurious looking Email accounts - usually yahoo/hotmail - then I get many many undeliverable reports from yahoo/hotmail. Does anyone else have experience of this???

Looking at the notifications I get the content of the mails seems to be predominantly Chinese!?! Any input would be really appreciated as I'm coming to the end of my tether with this kind of Exchange issue. Prompt reply would be very much appreciated.

Cheers, Simon

 

[johndpatriort]

Bigkav.

First of all, disconnect the server from the network and stop the SMPT service. Next make sure that you have installed the lasted virus defs and Ms Patches.

Finally Clear the queues of the unwanted email and start the SMPT services again. With the server still disconencted from the network, check the queues to see if they are filling again. Oh, You will want to run a virus scan of the server to ensure that it is clean. If the queues do not fill again, then reconnect the server to the network and see what happens.

 

[bigkav]

Thanks johndpatriort

Does this mean this is a virus????? I am up-to date and dont believe I have any viruses. What makes you think it is?

Simon

 

[johndpatriort]

Just the way yuo have described the problem leads me to believe this is possibly a virus. That and it''s best to rule that out right away, otherwise you could spend alot of time chasing something that could be relatively easy to fix.

Have you tried removingthe server from the network and emptying the queues. This will help determine if the problem is on the server or not.

 

[Horness]

We got struck with this bugger late yesteday, and this place seems to be the only site with any info! Do a search on Google, and see what I mean.

Our Exchange 5.5 (NT4 SP6a) is also our BDC, so we have no local admin, however I have changed the Domain admin password (which was only 4 letters!), and disabled/deleted accounts not in use.

Problem now however is mail is coming in, but not going out. (Outlook 2000 clients).

Any advice?

Thanks
Horness