SMTP Queue filling up....FAST 2

[peopleperson88]

I'm running Exchange 2000 and Windows 2000 with all SP installed. I am not configured to be a relay agent (have checked it numerous times with MS KB319356 HOW TO: Prevent Unsolicited Commercial E-Mail in Exchange 2000 Server).

But for the last few days I have been getting bombarded with email from different IP addresses and they have been coming in and going out of my server. I open up my Queue <ServerName>/Protocals/SMTP/SMTP Virtual Server/Queues and see about 1000 connections all ranging from 1 to 8000 message ready for delivery.

I open up a queued message in notepad and notice that 99% are coming from bluesteel??@anywhere.??? (? could be anything). I would rather not implemente a filter to block just that user because they will just change it and come right back.

Any thoughts of what I can do to prevent this from occuring?

 

[james3838]

Check the Exchange 5.5 Forum for a detailed answer to your question. You most likely have an account that has a weak password that a spammer has figured out. They are able to relay because by default authenticated users are able to relay.

 

[jovoian]

i agree i had a clietn with same thing recently, it was a trojan something that takes over port 25 allowing Access.it will also hide itself if you port scan or open the reg, good to use a prescanning software to accept mail , GFI, symantec etc have it out there..

 

[mmonti]

I am experiencing the same issue. I saw my queues were full email originating from outside my company to recipients outside my company. I have an Exchange 2000 server which is fully patch and configured not to allow relaying. I saw a lot of emails from &quot;Blueste....@...com&quot;. Not sure what to do. I did deselect the option &quot;allow all computers which successfully authenticate to relay, regardless of the list above&quot;, once I turned this off the queues slowed down.

Mike

 

[james3838]

mmonti - that is the WRONG approach

Someone has figured out the password to one of your accounts and is using it to authenticate. The correct solution is to figure out which account is compromised and either disable it or set a strong password on it.

A compromised password can be used for more then just mail relay so you REALLY need to figure out which account is compromised.

You will need to turn back on allow authenticated relay first.

Exact steps for Exchange 2000/2003:
Start->Programs->Microsoft Exchange->System Manager
Find your internet facing server
Select its properties (either select it and type <alt><enter> or hit the property button)
Select the Diagnostics Logging Tab
Select MSExchangeTransport
(Exchange 2000) Select SMTP Protocol
(Exchange 2003) Select Authentication
Change logging to maximum
Hit Apply
Start->Programs->Administrative Tools->Event Viewer
Select Application Log
Select View menu item
Select Filter
Change source event to MSExchangeTransport
Look for Event ID's 1708 for suspicious successful logons.

 

[peopleperson88]

I fixed the problem and here is what I did.

First I did what James3838 suggested with the SMTP connection and the event view. I didn't get any events to pop up....so.

Through Group Policy I implemented the Password Complexity Requirement on all users. Then forced each user to change the their password.

After about 20 minutes, the relays stopped.

When I walked in this morning I was receiving and sending about 4000 messages every minute and had 1096 connections in the queue.

After I performed the Password change. It has been running for 4 hours and I have only have about 10 connnection in the queue and my network speed has increases 10X. Even though I couldn't find the exact culprit changing the passwords fixed the issue.

 

[peopleperson88]

Here is the Event View information that I found to be the issue.

It was coming from the Adminstrator Account on the TRUSTED domain. Come to find out that the password on their Administrator account was &quot;password&quot;. What were they thinking?



---------------------


Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 9/18/2003
Time: 9:37:24 AM
User: N/A
Computer: ,SERVER>
Description:
SMTP Authentication was performed successfully with client &quot;exceeded&quot;. The authentication method was &quot;LOGIN&quot; and the username was &quot;<domain>\<User>&quot;.

 

[mmonti]

James,
Thank you for the advice. I did as you described and haven't really seen any successfull login attempts. I had changed some domain passwords and I have seen any relaying happen since. BUT I have seen what looks like some failed connection attempts. I have seen some 1707 and 1706 event ids under the SMTP catagory.

Does this events indicate a failed attempt to login to the SMTP virtual server? Here is a copy of an event:


Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1707
Date: 9/19/2003
Time: 11:27:17 AM
User: N/A
Computer: EUROPA
Description:
An internal EXPS function failed while communicating with &quot;unknown&quot;. &quot;CExchAuthContext::HrServerNegotiateClearTextAuth&quot; called &quot;HrCheckClearTextLogin&quot; which failed with error code 0x8007052e ( y:\transmt\src\smtpsink\exps\expslib\authctx.cpp@803 ).
Data:
0000: 2e 05 07 80 ...€


Thanks,
Mike

 

[james3838]

Based on my testing, 1707 events are what you get when you have failed logons. Too bad there is no information as to who they were trying to authenticate as. Exchange 5.5 has both success and failed events that are much easier to audit.


BTW - Its very likely that one of your end users is infected with W32.Swen.A@mm. Check out

http://www.sarc.com/avcenter/venc/data/w32.swen.a@mm.html

for more details. Pay attention to item 12 where the worm prompts the end user for e-mail server/password information.

 

[grdw]

I've tried the suggestions from James3838. Once I set app logging in event viewer to MSExchangeTransport I don't have any events logged.

Is there a way to open (read) the messages in the queue to verify they are spam being relayed through my server?

Thanks!

 

[badder2]

I've had a similar problem and have done the suggestions and stopped the spammer. However, I'm trying to figure out how an account on another domain (different office and a trusted domain to us) could access our exchange box to send out spam.

We changed the password on the account and the events have switched from event 1708's to 1706 & 1707's.

Is there any way for me to trace back to whoever is attempting to access our servers and block him at our firewall.

...gary

 

[compgirlfhredi]

Found this site to be of use when narrowing down my 'relay leak'

relay check

http://www.ordb.org/

 

[compgirlfhredi]

http://www.mynetwatchman.com/

 

[ftoddt]

Considering your statement:
&quot;Through Group Policy I implemented the Password Complexity Requirement on all users. Then forced each user to change the their password&quot;
I work partime at a school with students ranging from kindergarden to 12th grade. The students are locked out of most everything on the desktop,control panel, windows explorer and anything else that could cause me problems. Since these are little people with not much memory, passwords are simple and weak. How necessary are complex passwords for those with minimum rights on the client computers. I feel like I have some teachers and administrartors who could have weak passwords with more rights on the LAN and I plan to enforce a complex password requirement but I doubt if I would have success on the students unless your are telling me that there is no other way...
Please advise
Todd

 

[ftoddt]

Just an add to my last question. The students do not have exchange email accounts. Do I need to have them change their passwords?
Todd