RELAY?? But I fixed it already!..now what? 30

[POSAPAY]

Hey all,

On my Exchange 5.5 I have setup the routing, as well as only except from authenticated sources.
Running McAfee GroupShield5.

yet .. currently the Queues is full with like 400-800 e-mails spinning through it constantly.
Destination is random, origin is "bluestell__@_______.___"
The underscores are random characters.
right after the bluestell, there are two characters that seem to follow the incremental rule with the alphabet.
starts out as "aa" and goes up to "zz" then restarts.
The domain after the @ seems to vary from e-mail to e-mail.
Mostly common domains, such as hotmail, yahoo, att.net..etc.

The headers seem to be missing, I can't figure out what IP or server it is coming from. Simply no header contents.

Anybody have any ideas? My usual daily 1500 e-mail traffic just went over last two days to 9000+ emails.

I just turned off notifications, and disabled outbound responses to reduce the e-mail count and processes...but I'm looking for a way to make sure this person can't connect to my server. Anybody have a similar case before?

Thanks,
-Peter

 

[shodges]

Okay everyone, here is the riddle solved..... (I apologize for not reading through the entire thread but) it seems like no one has a definitive answer yet... I work for a company that makes software that competes with Exchange, but since whatever software it is, if it is using SMTP then it is the same, and we are starting to get a lot of support calls that are similar to the symptoms that are described here, and as others have said typing in BLUESTEL in Google turns up this site and none other [except for the actual spam messages and porn related sites, etc].

Anyway, after taking a LAN trace of the problem occuring we were able to determine that despite the fact that the SMTP server was NOT an open relay this person/entity/program is actually AUTHENTICATING to the SMTP server as an authorized user. You can look at a LAN trace too, look for AUTH LOGIN, you will find something similar...

The trace showed
Server: "220 xxxxxxxxxx"
Client: "EHLO excepted"
Server: "250-xxxxxxxxxx"
Client: "AUTH LOGIN"
Server: "334 VXNlcm5hbWU6"
Note this is Base-64 encoded, you can use pages like the following

http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx

to decode base 64, in this case it means:
"Username:"
Client: [base 64 encoded username]
Server: "334 UGFzc3dvcmQ6" [Password:]
Client: [base 64 encoded password]
Server: "235 Authentication Successful"
Client: &quot;MAIL FROM:<Bluestellxx@xxx.xxx>
etc

Anyway, we decoded the Base64 username and password (in this case they were the same username as password--IE VERY INSECURE).

I hope that this helps you guys in finding which accounts are being utilized to turn your server into the equivalent of an &quot;OPEN RELAY&quot;.

You can use ETHEREAL a FREE LAN trace tool to help you if you don't have access to something like SnifferPro etc. Anyway, like I said I work for a competing company, but wanted to share the information with the rest of the internet community because this is the ONLY site that mentions the problem.


Please secure all your accounts. DON'T use the same username as password (like postmaster/postmaster) Check all your accounts, and as has already been stated remove/delete/disable any account that doesn't need access.

 

[shodges]

sorry, I realize that other people HAVE posted the information already, I didn't have the time to read through the thread before, I didn't see that joeg701 already posted the same thing. Anyway, I hope Bluestell dies!!

 

[trevorstr]

Thanks for the tips.

I still see in my logs where my Exchange 5.5 SP4 server is still accepting email to users that do not exist in my domain. Someone is using my domain with invalid users and are still getting a 250 OK.

lpoulin below is not a user on my domain, shouldn't the server reply with something other than 250 OK when the user does not exist?


250 OK 10/15/03 9:47:40 AM : <<< MAIL FROM: <kpbx667lt@yahoo.com>
10/15/03 9:47:40 AM : >>> 250 OK - mail from <kpbx667lt@yahoo.com>

10/15/03 9:47:40 AM : <<< RCPT TO: <lpoulin@theauditgroup.com>
10/15/03 9:47:40 AM : >>> 250 OK - Recipient <lpoulin@theauditgroup.com>

10/15/03 9:47:41 AM : <<< DATA
10/15/03 9:47:41 AM : >>> 354 Send data. End with CRLF.CRLF

 

[tahoe2]

That means you're still relaying email. Open Internet Mail Service in Exchange Administrator, click on the routing tab and make sure your setting is REROUTE INCOMING SMTP EMAIL.
Sent to should be YOURDOMAIN.COM and route to should be INBOUND.
Then click on ROUTING RESTRICTIONS and UNcheck the box next to 'Hosts and Clients that successfully authenticate'
and CHECK the box next to 'Hosts and Clients with these IP Addresses:'. LEAVE THAT BOX BLANK!

Next, restart the IMS service and try the telnet command again.

Also, you can add the IP addresses that have been posted in this thread to the &quot;Hosts and clients that can NEVER route email&quot; box.

Hope this helps.

Corie

 

[trevorstr]

Hi Thanks for the Reply.

I did that and it still accepts messages for invalid users as long as they have my domain (@theauditgroup.com). This is causing the server to create many many NDR reports and clogging up my queues.

Is there any way to refuse the connection if the user is from my domain but not valid (not in the GAL)?

 

[tahoe2]

You now need to go through all your user accounts, local and domain. Some here have found a local admin or guest account enabled, or a domain user account that has been added. Enable SMTP logging to maximum and see which account is being accessed. Once you do that, the problem should clear up.

Corie

 

[theslydog]

I am now receiving a new varient dfkcaxxx@msn.com from the

tolast55.com resolves to 61.144.129.128

http://www.tolast55.com

resolves to 61.144.129.128

mentioned above

I just set up a forward to send anything with the above config back to all emails related to their servers. Its all I could think of...

tsd

 

[soloxiv]

***ALL***
I worked with Microsoft to work out my problem...here is the solution that is working the best.
Key items: strong passwords and turning of authenticated relay.

Thanks,
Marcus
__________________________________________________________

Issue:
======
Exchange server being used to relay spam to the internet.

Resolution:
===========
Local Administrator account was changed from null password last night.
Attempting to detect the account being used for relay: Turned on SMTP protocol logging on the server Disabled all relay on the server (No POP/IMAP users on the server)

Checking queues on the server- Outbound queue (IMCDATA\OUT) 20k items in queue.
MTS-OUT on the server ~147k messages in queue.
These are all non-delivery reports.

To clear the queues, we renamed the IMCDATA\OUT directory and removed the Internet Mail Service.

After reinstallation of the Internet Mail Service, we were able to send/receive internet email.

Checking logs to determine if we caught an attempt to authenticate. We did not.
Suggest, as we have removed all ablility to relay through this server, the problem will not happen again.

There may be some non-delivery reports occur on the server as a result of the ealier spam attack, but that there should be no real accumulation of queues on the server after taking the above steps.

If you required POP connectivity through the server, we would need to find the account that is being used to authenticate through the server. Do this with the following steps:

1) Enable SMTP protocol logging on the Internet Mail Service's Diagnostic Logging Tab**
2) Stop and Restart the Internet Mail Service
3) Monitor the Internet Mail Service's Queue's; Look for messages destined outbound with an external sender.
4) Once a relay is detected, view the protocol logs in EXCHSRVR\IMCDATA\OUT
5) Find or Search for the word &quot;Authentication&quot;
6) Prior to the words Authentication Successful, you will see 4 hashed commands; 2 from Exchange and 2 from the client.
7) Use a base64 decrypter to determine the Account that is being used to relay through the server.

**Make sure to disable SMTP Protocol logging after logging is complete

 

[njnetfixer]

The only way to stop this action is to shut off Port 25 to the outside world...

With the Tons and Tons of email thats hitting your mail server things can be pretty slow... And so what these guys will figure another way in.. Correct Isn't it Microsoft??

If you get all your mail through a mail gateway service and only a couple ip addresses, you can block off Port 25 off from the World!!(at the router level)

Wouldnt you want Cisco handling the traffice not the Mail Server..

1. Port 25 would be CLOSED and hackers won't even know its OPEN!! ya got me??
2. Spam or attacks arent goin to direct hit your mail server.
3. No Harvest Attacks to your use list..

Anybody that has this problem could be fixed up in an hour .. I still these crazy things ALL the time... I manage about 110 Mail servers... I'm here to help..

Frank

 

[Nuerodancer]

I've looked through all my event logs & through for the 2010's & 4183's & I come up with the user that is being used is \backup. I'm assuming that is going to be a local system account on one of my servers however I can't seem to find it anywhere. I'm getting nailed by over 25000 relays a day, & now several domains have banned my domain from being allowed to email them & unfortunately a couple of them are domains we actually send mail to on a regular basis.

Little help?

Nuero

 

[POSAPAY]

Try creating the backup account on that server, and then desabeling it.
Also, double check with relay checking sites, to make sure you are not listed on their blacklists. You might need to request to be unlisted once everything is good.
good luck

 

[Nuerodancer]

I've created a user in our Active directory called Backup however it doesn't seem to be slowing down or stopping, I have also applied the patch that James3838 mentioned earlier in this forum from Microsoft for Exchange 5.5, I haven't rebooted yet but I will through the night tonight & hope for the best, I'll let you guys know ASAP.

Thanks,

Nuero

 

[POSAPAY]

A reboot, and an emptying out the que should help.
You still might see for a short time some cached e-mails go through, but it should stop if nothing else was wrong.

 

[Nuerodancer]

Well here's what I've done...

1. Created a user called backup & gave it a ridiculously long password (48characters with Some CAPS & Numbers & Symbols)
2. Applied the Microsoft Patch for Exchange 5.5
3. Emptied the queues & rebooted the server.
4. Checked on the server about 30 after the reboot, & there was 378 messages stuck in the outbound queue.

Here's the latest 2010 Event.
11/28/2003
MSExchangeIMC
Information
Event : 2010
Connection from RJ202164.user.veloxzone.com.br was successfully authenticated (AUTH LOGIN) as \backup.

So it's still happening, any ideas how to track that \backup user???

Nuero

 

[Nuerodancer]

Well It's Tuesday & the mail is REALLY flooding thru now. We're talking about Thousands of emails every 10-15 minutes.

My internal mail works, but even trying to stop/restart my internet mail service is DEADLY slow, usually about 5 miutes before it fails & says it's taken too long & just gives up.

I think I know what server the \backup user is on, but cannot figure out how to get rid of it. Any ideas?

It's an old NT4 server, that before the upgrade to 2000 on the other servers was a Domain Controller.

 

[johndpatriort]

Can you remove the Old NT server?

 

[Nuerodancer]

Yes & no. I can pull the NT server out of the domain fairly quickly but I can't do it during the day (Business hours) because that is the server that still hosts about 90% of our data. I plan on moving the data from that server & demolishing the old NT box with a hammer if it is the cause of my frustrations.

johndpatriort (IS/IT--Manageme) Dec 2, 2003
Can you remove the Old NT server?

 

[johndpatriort]

try logging onto the domain server Locally (if you allow that in the policy) and create the backup account. I assume that you have a new &quot;domain/ad&quot; structure.

 

[devastator]

Sorry if you may have stated this before but i don't see it. Do you have POP accounts outside? If not you can unselect the option for successful authentication. If you do use POP have you tried to block or not allow relaying to 200.223.8.81 which is veloxzone.com.br? Is this the domain that is alway authenticating?

 

[Nuerodancer]

I have created a Backup user in our domain & gave it a insanely long password, then disabled it. The problem is that I cannot find this \Backup user. I cannot log on locally to the NT4 Server but I can onto the Windows 2000 Domain Controller which doesn't have a \Backup user.

johndpatriort (IS/IT--Manageme) Dec 2, 2003
try logging onto the domain server Locally (if you allow that in the policy) and create the backup account. I assume that you have a new &quot;domain/ad&quot; structure.