Announcement

Collapse
No announcement yet.

No open relay, no auth but still spam

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • No open relay, no auth but still spam

    SBS Server 2003 SP2 w/ Exchange
    McAfee Virusscan Enterprise

    Hi,

    I hope someone can help.

    Thousands of spam mails going through our system for the past few weeks.

    I have confirmed that the server is not open relay with several online checkers and confirmed settings as detailed here:

    h t t p : / / w w w . p e t r i . c o . i l / p r e v e n t i n g _ e x c h a n g e _ 2 0 0 0 _ 2 0 0 3 _ f r o m _ r e l a y i n g . h t m

    I have also enabled transport logging on SMTP and no event ID 1708s are occuring.

    Example header from a mail caught in our queues:

    Received: from User ([219.139.76.173] RDNS failed) by myserver with Microsoft SMTPSVC(6.0.3790.4675);
    Tue, 29 May 2012 16:30:31 +0100
    Reply-To: <[email protected]>
    From: "MISS DEBRA ADAM"<[email protected]>
    Subject: URGENT RESPOND NEEDED !!!!
    Date: Tue, 29 May 2012 22:31:34 +0700
    MIME-Version: 1.0
    Content-Type: text/html;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    Return-Path: [email protected]
    Message-ID: <[email protected]>
    X-OriginalArrivalTime: 29 May 2012 15:30:31.0999 (UTC) FILETIME=[FBFF34F0:01CD3DAF]


    The server and all network computers have been virus scanned with standalone scanners and nothing was found.

    While the server is being spammed through I have seen current sessions from the spammers IP in exchange and can see the connections from said IPs in the SMTP logs, which leads me to believe it is not malware on our local network.

    Is there anything else we can monitor/log in order to try and find the method/loophole in our network that is being exploited?

    Many thanks in advance for any replies

    Dave

  • #2
    Re: No open relay, no auth but still spam

    change all the passwords for any account that is allowed to relay through the smtp server.


    (I assume you're talking about people using your srver as a relay, rather than you receiving lots of spam)
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: No open relay, no auth but still spam

      Hi tehcamel,

      Many thanks for your response.

      I am talking about our server being used as a relay.

      No passwords have been changed yet but I have checked our settings for authenticated relay and the 'allow all computers' check box in smtp protocol settings is unticked. Also am I right in thinking that if someone had managed to auth then a 1708 event Id would be recorded?

      Cheers
      Dave

      Comment


      • #4
        Re: No open relay, no auth but still spam

        Is that spam coming into your organissation???

        Is your external IP 219.139.76.173???

        That message looks to me like you are recieving spam from 219.139.76.173.

        The server IP is the affected spam server and not yours, unless of course your email server's external ip is the one above

        http://www.mxtoolbox.com/SuperTool.a...219.139.76.173

        To combat this you will need to implement some sort of spam filter, we have ours in our DMZ, that will check all this for you.

        Comment


        • #5
          Re: No open relay, no auth but still spam

          Hi wullieb,

          The IP in the header is not ours, that is the server where the spam originated. The to and from adress in the emails are not ours either, no one in our organisation is receiving this spam. The spam comes into our server (i have renamed it to "myserver" in the headers) and goes straight into our outbound queues.

          Many thanks
          Dave

          Comment


          • #6
            Re: No open relay, no auth but still spam

            Do you have ANY relay settings enabled at all?
            IP addresses, users listed to allow relaying etc?

            Exchange doesn't allow relaying on its own, so there is a setting there somewhere.
            Restarted SMTP server to break the connections?

            If you haven't already, then force a password change on everyone and everything, including Administator, BES etc.

            Sure it isn't NDR spam? Do you have recipient filtering enabled?

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: No open relay, no auth but still spam

              Hi Sembee,

              Thanks for taking the time to reply. Please see attached for our current settings.

              Blocking port 25 on the firewall and cleaning the outbound queues then leaving the port blocked for a few hours seems to stop the spam but then it all reappears after a few days, presumably as out IP is retried.

              I am not in a position to be able to force a password change for a few days but will do as soon as possible.

              As for NDR spam i'm not sure but I think we have recipient filtering applied which should rule that out.

              The IP allowed for relay in out settings is the photocopier on the network.


              Many thanks for your help
              Dave
              Attached Files

              Comment


              • #8
                Re: No open relay, no auth but still spam

                Does the photocopier really need to be able to relay through your server? Do users regularly send email to external recipients?
                Switch it to your ISPs SMTP Server for relaying out instead.

                Afraid to say, you still have authenticated relaying enabled.
                All you have done is change the permission from a blanket permission (by deselecting that box) to being in a Windows permission box.

                On the window with Permissions for Submit and Relay, turn off Relay Permission for Authenticated Users. Leave submit in place.
                After changing it, apply/Ok out and then restart the SMTP Server service.

                Although you haven't identified the compromised account, so a full password reset should be instigated immediately - definitely on the Administrator account, otherwise the spammer could just remote in to your systems and change it back again!

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: No open relay, no auth but still spam

                  Originally posted by Sembee View Post
                  Does the photocopier really need to be able to relay through your server? Do users regularly send email to external recipients?
                  Switch it to your ISPs SMTP Server for relaying out instead.

                  Afraid to say, you still have authenticated relaying enabled.
                  All you have done is change the permission from a blanket permission (by deselecting that box) to being in a Windows permission box.

                  On the window with Permissions for Submit and Relay, turn off Relay Permission for Authenticated Users. Leave submit in place.
                  After changing it, apply/Ok out and then restart the SMTP Server service.

                  Although you haven't identified the compromised account, so a full password reset should be instigated immediately - definitely on the Administrator account, otherwise the spammer could just remote in to your systems and change it back again!

                  Simon.
                  Here in lies my misunderstanding!

                  Many thanks for your input Sembee, I was under the impression that unticking the "allow all computers which succsesfully authenticate to relay" overrode the user settings.

                  I will change this as per your recommendation and as soon as possible we will orchestrate a password change.

                  I think the fact I could not see any 1708 events in our log had me confident that the spammer was not authenticating.

                  Once again thanks for everyone's input.

                  Comment


                  • #10
                    Re: No open relay, no auth but still spam

                    All the setting does is allow you to control the who can relay, rather than it being a blanket option to allow everyone to relay.

                    If authenticated users must be allowed to relay (for example POP/IMAP users) then I use that setting to control who can use it, ie to specifically exclude Administrator which is the account that is usually attacked.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment

                    Working...
                    X