Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Phishing Problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Phishing Problem - 24.Apr.2008 1:33:45 PM
|
|
|
jcostantino
Posts: 8
Joined: 3.Apr.2007
Status: offline
|
Hi all,
There seems to be a recurring problem that has been happening every few days for the past month or so. We are running Exchange2003 SP2 and about 160 workstations. The problem is all of a sudden in the ESM queue there will be 1000's of queued messages sitting there. In the Queue folder in the Exchsrv folder there are the 1000's messages. so what i have to do is stop the smtp virtual server, delete all the messages in the queue then start back up the smtp virtual server and all is fine. The messages are showing as being from sender@email-ebay.com or something related to paypal.com. so my question is how is this happening? Is there an virus on a client machine? I am pretty sure open relay is closed. If it is a virus on a computer how can i pinpoint which PC it is coming from?? If not, what should i be looking for? this seems to be happening once every 3 or 4 days. Thanks for any help or advice!!
|
|
|
|
RE: Phishing Problem - 27.Apr.2008 7:10:17 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
It will not be a problem with a client machine - I can almost guarantee that.
You are either an open relay, or an authenticated user attack. The first thing I would do is reset the administrator password and then restart the SMTP server service. Clean out the queues and then see what happens.
See this article on my web site: http://www.amset.info/exchange/spam-cleanup.asp
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Phishing Problem - 28.Apr.2008 11:42:22 AM
|
|
|
jcostantino
Posts: 8
Joined: 3.Apr.2007
Status: offline
|
ok i am checking out that site now, but i can guarantee that we are not open relay. i went to a couple sitest that test for it and put in our exchange server ip and they all came back as unable to relay.
but i came in today and someone must have got access again. i came in to 100's of queues and i saw a user connected in the virtual SMTP server. so i stopped the server deleted the messages then a couple seconds they came back again. so after about 10 mins of doing this they finally stopped. a couple hours later same thing. i am trying to figure out how to block an IP on my firewall as we speak, but how is this person getting access if we are not open relay?
|
|
|
|
|
RE: Phishing Problem - 29.Apr.2008 9:40:22 AM
|
|
|
jcostantino
Posts: 8
Joined: 3.Apr.2007
Status: offline
|
Thanks for your help so far. here is an update on the problem. I changed the admin password yesterday and that seemed to have worked i thought. But after i left i saw that the messages started again. so what i have come up with is that a user (217.118.0.121) is sending 2 messages with hundreds of people BCC'd. Sometimes he shows up in active connections but most of the time he doesnt. so would you say this is some sort of NDR attack? is there still a chance that it could be an infected machine on the network, because there are about 160 computers on the network. how can i block this IP from the exchange server? or should i be doing something else to prevent this?
Thanks.
|
|
|
|
|
RE: Phishing Problem - 29.Apr.2008 12:30:20 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
The IP address is in Italy, so I suspect that it is a compromised machine.
After changing the password did you restart the SMTP server service?
DO you have any relay options enabled on the SMTP server? Local IP address for example?
If you were being abused as part of an NDR attack then the messages would appear in your queues as coming from postmaster@
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Phishing Problem - 29.Apr.2008 3:01:28 PM
|
|
|
jcostantino
Posts: 8
Joined: 3.Apr.2007
Status: offline
|
Yes after changing the password I did start and stop the server. Under the Relay tab for the SMTP Virtual server i have the option to allow only the list below, in that list are a couple servers that have web services that email out things. the allow all computers check box is unchecked and under the users section only authenticated uses have the to relay and submit permission.
I did enable sender ID filtering and added 2 entries to the block list. i added *@217.118.0.121 and also support@email-nwolb.com which was the address that was being spoofed. so far it has seemed to work. havent had any junk in the queue for about 6 hours now. but if you think it is a compromised machine how would i go about figuring out which one it is??
Thanks
Joe
|
|
|
|
|
RE: Phishing Problem - 29.Apr.2008 4:09:28 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
The compromised machine is in Italy on that IP address - not your network.
Do you need authenticated relaying enabled? If you do not have any SMTP users (Outlook Express etc) then you can turn it off.
While blocking the specific settings that you have resolves the problem short term, it doesn't help long term to deal with the issue.
There are only three ways that email can be sent through your server
- open relay
- authenticated relay
- NDR attack.
Just because your server passes the open relay tests doesn't mean that is the end of it. If another machine has been attacked that could be relaying the email through your server. I don't think that is the problem here as you have identified the external machine that is using your server.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Phishing Problem - 30.Apr.2008 12:42:24 PM
|
|
|
jcostantino
Posts: 8
Joined: 3.Apr.2007
Status: offline
|
quote:
ORIGINAL: Sembee
The compromised machine is in Italy on that IP address - not your network.
Do you need authenticated relaying enabled? If you do not have any SMTP users (Outlook Express etc) then you can turn it off.
While blocking the specific settings that you have resolves the problem short term, it doesn't help long term to deal with the issue.
There are only three ways that email can be sent through your server
- open relay
- authenticated relay
- NDR attack.
Just because your server passes the open relay tests doesn't mean that is the end of it. If another machine has been attacked that could be relaying the email through your server. I don't think that is the problem here as you have identified the external machine that is using your server.
Simon.
We do not have any Outlook Express users. We have Exchange users and also OWA and a few OMA users. Will turning off Authenticated Relay effect this? how would i go about turning it off? what options would help fight off these attackers and yet not have any effect on our current setup?
Joe
|
|
|
|
|
RE: Phishing Problem - 30.Apr.2008 3:57:30 PM
|
|
|
Sembee
Posts: 3503
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
If you do not have any SMTP users then you can turn off authenticated SMTP. It is not required for the correct operation of Exchange with Outlook, OWA, OMA and EAS clients.
It is disabled on the relay settings of the SMTP virtual server. It says something like "All users who authenticate to relay, regardless of the list above". Disable the option and then restart the SMTP virtual server.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://www.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.amset.co.uk/
|
|
|
|
|
RE: Phishing Problem - 30.Apr.2008 4:42:07 PM
|
|
|
mdwasim
Posts: 242
Joined: 17.Apr.2007
Status: offline
|
I think this will work for everyone, coz since last 7-8days I have kept all authenticated users option disabled and added users in "users" option who need to authenticate for using outlook express manually.
best and easy way is to create a security group like "auth_users" and all this user in users options. this will make easy to give permissions to required users.
I will update whenever any issue comes arises.
Thanks Simon for your inputs..
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
lol.. 