SMTP AUTH relay attack

[MarkymarcMarc]

I belive my mail server may be hijacked. I have a number of spam messages in my Default SMTP Virtual Server queue waiting to be relayed. Most of them just sit there and when I click on delete with or without an NDR they continue to sit there. I have since frozen everything coming into the queue and it's getting worse. The messages just keep piling up.
Since this has been happening I have checked that I do not have the Guest user enabled with no password in my system. In case a spammer is sending from one of my user accounts.
I have disabled relaying for authenticated users.

I'm not sure what else to do or how to solve this problem. Any ideas?

 

[jpomaha]

I am having the same problem. Have you found any solution? If I do I will post here.

 

[jpomaha]

This appears to have been the problem:

The bulk of the messages in the queue were from NDR's. The NDR's were generated from spoofed addresses and we could not send the NDR. The system was set up to try at 1 min then 2 then three for a total of 12 hours. This has never been a problem for us until now. We are getting so much span that the load on the server was so great we were being slowed to a halt. I went into Global Settings then Internet Message Formats. Click on default then properties. The settings under advanced for NDR and removed the selection for NDR. This looks to have worked. I am not getting the NDR's and we are running smooth at this point.

 

[MarkymarcMarc]

Correct me if I'm wrong but won't Un-selecting that NDR box not provide your local clients with an NDR when they send to an incorrect address. So they won't know if they're mail was delivered incorrectly.

After you unchecked this box, did all those spam domains in your queue disappear? I'm wondering if I did what you did, then deleted each spam domain message in my queue and then went back and selected that box, would that clear up my queue.

Also, my exchange is not lagging, it's just a pain to see that many messages sent to my queue. How can I find out what machine they are coming from?

 

[Matrixa]

you could offline your store. Stop all exchange services then remove the Messages. I would also take a backup very quickly. Also turn the NDR on so then you find out which mail box it's comming from

I can only show the door, your the one that has to open it !

 

[MarkymarcMarc]

No mailbox is getting an NDR from these spam messages. They're being auto generated from some machine. I'll try stopping the services and removing the messages and let you know if it worked. Thanks.

 

[Matrixa]

Do you know which machine they are being genarated from.

I can only show the door, your the one that has to open it !

 

[MarkymarcMarc]

No, even when I delete the message to send an NDR to the sender, it does nothing. It just sits in the queue. How can I tell what machine it is coming from?

 

[Haleon]

Hello,

I had this problem myself. After talking to a security expert at a hosting facility that we use, he informed me that pretty much the only way to stop the SMTP AUTH attack is to only allow IP addresses on your internal LAN to send mail. That should be fine anyway, as I'm assuming you only want your users to be able to send mail.

To do what I did, do the following:

1.) Open up System Manager
2.) Expand Servers, (Your Server), Protocols, SMTP
3.) Right-click on Default SMTP Virtual Server and select properties
4.) Click the Access tab
5.) Click the Relay button
6.) Make sure the checkbox that states "Allow all computers that succesfully authenticate to relay, regardless of the list above" is turned OFF.
7.) Click the "Only the list below" radio butotn
8.) Click "add"
9.) Click the "Group of Computers" radio button and enter your LAN's IP range. For instance 192.168.0.1 - 192.169.1.255 (or whatever your range is)
10.) Click "OK" and OK yourself out of all dialogue boxes.
11.) Stop and restart the IIS service.

 

[MarkymarcMarc]

Thnx Haleon. I'll try that and let you know, I've been working offsite the last 2 weeks.

 

[MarkymarcMarc]

Haleon,
But if the spam is coming from a clients machine, it will be coming from that ip address internally. I'll do what you say and get back to you, however, my exchange is definately not setup to be a relay.
Thanks