Announcement

Collapse
No announcement yet.

Queue full of spoof e-mails

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Queue full of spoof e-mails

    I have installed an SBS network for a real estate company with 40 clients. The outgoing mail queue has 250 e-mails reporting to be from [email protected] stuck in the retry mode.

    Relaying is off so I suspect an authorized user has picked up a trojan on his computer that is sending the mail out. The problem with real estate companies is that many of the realtors own their own laptops so it is hard to control them.

    We have Symantec Corporate installed on the server and all the computers have the antivirus client installed, but that doea not protect us from trojans than an individual picks up on his computer off site.

    I recall a configuration in Exchange where you could instruct it only to send out e-mail from authenicated domain users. Is this correct?

    TIA
    Network Engineers do IT under the desk

  • #2
    Re: Queue full of spoof e-mails

    Addendum:

    I am sure I want Exchange Server Sender ID filtering. Any confirmation on this?
    Network Engineers do IT under the desk

    Comment


    • #3
      Re: Queue full of spoof e-mails

      Those may be NDRs. Make sure that you have set your server to not send NDRs when somebody sends an email to a user who doesn't exist in the domain. Let me know if you need further instructions on how to accomplish this.

      Comment


      • #4
        Re: Queue full of spoof e-mails

        Correct me if I am wrong, but would a NDR not be sent by the postmaster from the domain and not [email protected]? I thought this was a spoofed e-mail that might me getting rejected.

        Thanks for your reply.
        Network Engineers do IT under the desk

        Comment


        • #5
          Re: Queue full of spoof e-mails

          That server might also be the subject of a mail attack.

          Spammers will often try to send various combinations of an email recipient name to the beginning of the server domain, including the usual favourites, [email protected] and [email protected].

          Your 250 messages stuck in the queue are likely NDR's that'll tell nobody in particular that the mailbox does not exist.

          Sembee had a post recently with a link to his webpage with tips on securing your client's mail server against spam that's well worth a look.


          robbyb

          Comment


          • #6
            Re: Queue full of spoof e-mails

            This one?

            http://www.amset.info/exchange/spam-cleanup.asp

            or was it this one?

            http://www.amset.info/exchange/smtp-relaysecure.asp

            or was it another one?

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Queue full of spoof e-mails



              One of those will likely do!

              Thanks Simon.

              Comment


              • #8
                Re: Queue full of spoof e-mails

                The server is not relaying, I tested it. An SMTP connector is being opened to places like tampaby.rr.com and hundreds of [email protected] messages are trying to be routed through this.

                My take on this is there is an authenticated user on the SBS 2003 domain that has picked up a trojan. How can I track down the offending computer? There are 40 users, some on the LAN and some using RPC over HTTP.

                I have anable maximum loging for MSExchange Transport - SMTP Protocol, but this does not give me the local information.

                Thanks
                Network Engineers do IT under the desk

                Comment


                • #9
                  Re: Queue full of spoof e-mails

                  I suspect the only way you'll check that is to make sure the local anti-virus is up to date on each PC, and then fully scan each PC...

                  If you've got an Enterprise version of Sophos Anti Virus, or something similar from some other company then you'll be able to initiate this remotely from an Admin console.

                  Comment


                  • #10
                    Re: Queue full of spoof e-mails

                    The anti virus is up to date. I have Symantec Corporate on the network plus my Fortigate 60 VPN appliances have an anti virus subscription. I suspect this is a trojan or piece of malware someone has picked up clicking on a link which falls into a different category. Do you agree?
                    Network Engineers do IT under the desk

                    Comment


                    • #11
                      Re: Queue full of spoof e-mails

                      It's quite possible. But then it could have got to an internal PC in a variety of ways. But if you have Symantec on each PC, then in theory, if it is set to something like 'On-access scanning' then it might have picked the virus up as it was about to be executed.

                      But yeah, it could have been a link on a web page. It could have been one of your users accessing their Hotmail (or such) account. Because these virus are usually transmitted through email, this is likely.

                      But I've seen or heard of other ways that this type of virus gets around, and so enter the iPod, other music device and portable memory type sticks. You can imagine that these get installed on a PC as an additional drive, that might not get scanned by AV.

                      I haven't used Symantec before, but see if it has on-access scanning or the like, and whether this needs to be enabled?

                      Comment


                      • #12
                        Re: Queue full of spoof e-mails

                        What logging event can I turn up in ESM to show who on the network is passing off submissions to the Exchange server?
                        Network Engineers do IT under the desk

                        Comment


                        • #13
                          Re: Queue full of spoof e-mails

                          It will not be a machine on your network that is infected. That just doesn't happen.
                          Trojan writers do not go looking for another SMTP server to send their messages through, or an Exchange server/MAPI connection to use. There is no point. Corporate networks are not their targets, what they are interested in is home users.

                          Most trojans will have their own SMTP engine that is sending out the message directly to the internet.

                          What this will be is either NDR spam or authenticated relaying.
                          Have you changed your administrator account password? If not, do so.
                          Have you secured the authenticated relaying? Do you need to allow anyone to relay through your server? If not, then disable the feature totally. Authenticated relaying is not required for an Exchange server and Outlook connected to the server as an Exchange client (as opposed to a POP3/IMAP client) to send email out correctly.

                          The presence of a Symantec AV product is not a sign that you are not infected. Symantec's product is the market leader (who knows why as it is not that effective) and is therefore what most malware writers test with to see if their "product" is detected.

                          Simon.
                          --
                          Simon Butler
                          Exchange MVP

                          Blog: http://blog.sembee.co.uk/
                          More Exchange Content: http://exchange.sembee.info/
                          Exchange Resources List: http://exbpa.com/
                          In the UK? Hire me: http://www.sembee.co.uk/

                          Sembee is a registered trademark, used here with permission.

                          Comment


                          • #14
                            Re: Queue full of spoof e-mails

                            Yes, the administrtaor passwword has been changed. I also have four Outlook Express users who are not members of the domain using POP3. I have given them permission to 'submit' but not to 'relay'.

                            Authenticated users can not submit or relay either. NDRs are disabled (dropped). In the SMTP relay properties, the "list below" is empty for "Select which computer may relay through this virtual server (only the list below).

                            I have a lot of 1710 errors in my app log:


                            This is an SMTP protocol log for virtual server ID 1, connection #2128. The client at "211.187.141.168" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for [email protected] ". The full command sent was "rcpt TO:<[email protected]>". This will probably cause the connection to fail
                            Network Engineers do IT under the desk

                            Comment


                            • #15
                              Re: Queue full of spoof e-mails

                              After changing the administrator password and any of the SMTP server settings, did you restart the SMTP Server service?

                              Have you actually cleaned out the queues? It can take three or four attempts to clear the queues.

                              The event log entries you are seeing are what I would expect to see in these circumstances.

                              Is the server still accessible from the internet? If it is, change that, block port 25 and clean up the server, then leave it for a good couple of hours. If the queue growth stops, then you can open it again and see what happens.

                              Simon.
                              --
                              Simon Butler
                              Exchange MVP

                              Blog: http://blog.sembee.co.uk/
                              More Exchange Content: http://exchange.sembee.info/
                              Exchange Resources List: http://exbpa.com/
                              In the UK? Hire me: http://www.sembee.co.uk/

                              Sembee is a registered trademark, used here with permission.

                              Comment

                              Working...
                              X