No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • suggestions...?

    Last friday we had a users password get usurped by spammers.. They were attempting to send spam internally. I found it when I was checking logs on our exchange server and changed the affected account password. looks like spamming was all they were after. But it looks like an automated attack from several different IP addresses and it has not stopped. Really starting to bother me. still cannont find any evidence that anything else is happening and our bandwidth it not being hammered.. just the users account even after the password was changed. Anyone have any suggestions?

    Log Name:      Application
    Source:        MSExchangeTransport
    Date:          4/9/2013 6:34:14 AM
    Event ID:      1035
    Task Category: SmtpReceive
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      exchange.domain.local
    Inbound authentication failed with error LogonDenied for Receive connector Client exchange.domain.local. The authentication mechanism is Login. The source IP address of the client who tried to authenticate to Microsoft Exchange is [external IP].
    Event Xml:
    <Event xmlns="">
        <Provider Name="MSExchangeTransport" />
        <EventID Qualifiers="32772">1035</EventID>
        <TimeCreated SystemTime="2013-04-09T13:34:14.000000000Z" />
        <Security />
        <Data>Client exchange.domain.local</Data>
        <Data>external IP</Data>
    and this shows up as well

    Log Name:      System
    Source:        Schannel
    Date:          4/9/2013 9:35:37 AM
    Event ID:      36887
    Task Category: None
    Level:         Error
    User:          SYSTEM
    Computer:      exchange.domain.local
    The following fatal alert was received: 10.
    Event Xml:
    <Event xmlns="">
        <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
        <TimeCreated SystemTime="2013-04-09T16:35:37.876249000Z" />
        <Correlation />
        <Execution ProcessID="504" ThreadID="10832" />
        <Security UserID="S-1-5-18" />
        <Data Name="AlertDesc">10</Data>

  • #2
    Re: suggestions...?

    Your first error message has an IP snipped, but it's quoted as 'external ip'. Have you got an exchange server available directly from the Internet? If you don't, you've got a hole in your firewall, or how else could the external IP have gotten to your server?

    If you have internal IPs that are doing this, best start tracking those down to client PCs and see who's got what running on them. If they are internal and constantly hammering, you've most likely got at least one infection in your system!
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **


    • #3
      Re: suggestions...?

      that was me.. I just replaced the external addresses they are using with that figuring they would be anyways. I have done packet captures, not seening any internal issues.. looks like they are just hammering away.. wish there was something I could do. I am making a list for the firewall ACL but not sure if that will really solve the problem.

      and to answer the other quesiton, yes, the smtp/pop3/imap services are accessable in the internet and our firewall is set up that way.

      suppose I can play w/ wireshark some more and see what else I can find.



      • #4
        Re: suggestions...?

        Sounds like an infected internal client. Has your managed av picked anything up?
        I assume that you only allow the hub to send mail outbound (or at least you should) and filter any other outbound traffic destined to tcp port 25. I would also put a packet capture going outbound on your firewall to see if you see any client trying to send mail out of your network or any client making alot of outbound connections. If you have an ASA or Pix this is really easy to do. If you bring the client off line does this stop? If you know the source external ip then filter it on the firewall coming inbound. May also be a good idea to use a cloud based spam solution and setup exchange to only accept mail from that system. I would recommend Postini but it won't be around much longer.
        Last edited by auglan; 10th April 2013, 11:19.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)