Phishing Problem

Phishing Problem (Full Version)

All Forums >> [Microsoft Exchange 2003] >> Server Security

Message

jcostantino -> Phishing Problem (24.Apr.2008 1:33:45 PM)
Hi all, There seems to be a recurring problem that has been happening every few days for the past month or so. We are running Exchange2003 SP2 and about 160 workstations. The problem is all of a sudden in the ESM queue there will be 1000's of queued messages sitting there. In the Queue folder in the Exchsrv folder there are the 1000's messages. so what i have to do is stop the smtp virtual server, delete all the messages in the queue then start back up the smtp virtual server and all is fine. The messages are showing as being from sender@email-ebay.com or something related to paypal.com. so my question is how is this happening? Is there an virus on a client machine? I am pretty sure open relay is closed. If it is a virus on a computer how can i pinpoint which PC it is coming from?? If not, what should i be looking for? this seems to be happening once every 3 or 4 days. Thanks for any help or advice!!

Sembee -> RE: Phishing Problem (27.Apr.2008 7:10:17 PM)
It will not be a problem with a client machine - I can almost guarantee that. You are either an open relay, or an authenticated user attack. The first thing I would do is reset the administrator password and then restart the SMTP server service. Clean out the queues and then see what happens. See this article on my web site: http://www.amset.info/exchange/spam-cleanup.asp Simon.

jcostantino -> RE: Phishing Problem (28.Apr.2008 11:42:22 AM)
ok i am checking out that site now, but i can guarantee that we are not open relay. i went to a couple sitest that test for it and put in our exchange server ip and they all came back as unable to relay. but i came in today and someone must have got access again. i came in to 100's of queues and i saw a user connected in the virtual SMTP server. so i stopped the server deleted the messages then a couple seconds they came back again. so after about 10 mins of doing this they finally stopped. a couple hours later same thing. i am trying to figure out how to block an IP on my firewall as we speak, but how is this person getting access if we are not open relay?

Sembee -> RE: Phishing Problem (28.Apr.2008 12:47:48 PM)
You don't have to be an open relay for your server to be abused. If the server is exposed to the internet then it can be attacked. http://www.sembee.co.uk/archive/2008/03/13/73.aspx Simon.

jcostantino -> RE: Phishing Problem (29.Apr.2008 9:40:22 AM)
Thanks for your help so far. here is an update on the problem. I changed the admin password yesterday and that seemed to have worked i thought. But after i left i saw that the messages started again. so what i have come up with is that a user (217.118.0.121) is sending 2 messages with hundreds of people BCC'd. Sometimes he shows up in active connections but most of the time he doesnt. so would you say this is some sort of NDR attack? is there still a chance that it could be an infected machine on the network, because there are about 160 computers on the network. how can i block this IP from the exchange server? or should i be doing something else to prevent this? Thanks.

Sembee -> RE: Phishing Problem (29.Apr.2008 12:30:20 PM)
The IP address is in Italy, so I suspect that it is a compromised machine. After changing the password did you restart the SMTP server service? DO you have any relay options enabled on the SMTP server? Local IP address for example? If you were being abused as part of an NDR attack then the messages would appear in your queues as coming from postmaster@ Simon.

jcostantino -> RE: Phishing Problem (29.Apr.2008 3:01:28 PM)
Yes after changing the password I did start and stop the server. Under the Relay tab for the SMTP Virtual server i have the option to allow only the list below, in that list are a couple servers that have web services that email out things. the allow all computers check box is unchecked and under the users section only authenticated uses have the to relay and submit permission. I did enable sender ID filtering and added 2 entries to the block list. i added *@217.118.0.121 and also support@email-nwolb.com which was the address that was being spoofed. so far it has seemed to work. havent had any junk in the queue for about 6 hours now. but if you think it is a compromised machine how would i go about figuring out which one it is?? Thanks Joe

Sembee -> RE: Phishing Problem (29.Apr.2008 4:09:28 PM)
The compromised machine is in Italy on that IP address - not your network. Do you need authenticated relaying enabled? If you do not have any SMTP users (Outlook Express etc) then you can turn it off. While blocking the specific settings that you have resolves the problem short term, it doesn't help long term to deal with the issue. There are only three ways that email can be sent through your server - open relay - authenticated relay - NDR attack. Just because your server passes the open relay tests doesn't mean that is the end of it. If another machine has been attacked that could be relaying the email through your server. I don't think that is the problem here as you have identified the external machine that is using your server. Simon.

mdwasim -> RE: Phishing Problem (29.Apr.2008 5:02:59 PM)
Hello Friends, I am also having same issue, I tried to figure it out but ended up in cleaning queue. this use to happen every 2-3day.. and I was also thinking some trojan or malware from network system is getting authenticated access of user whose ever workstation it is and using exchange server to send out these emails. Till now i didnt find out any solution for this. i get nothing in sessions under pop3 protocols.. This problem is still eating me up.. daily i need to keep check on queue as soon as i start my work and also before leaving.. this is a kind of scheduled batch file running on me [:D] lol.. it will be great if someone finds out whats going on over here.. Thanks again for your helpful replies. Regards, Wasim

Sembee -> RE: Phishing Problem (29.Apr.2008 5:40:48 PM)
It will not be a workstation on your network with the problem. BOTS do not work in that way: http://www.sembee.co.uk/archive/2008/03/13/73.aspx Your server has been compromised - you either an open relay, or a user account has been compromised - the usual target is administrator. Simon.

jcostantino -> RE: Phishing Problem (30.Apr.2008 12:42:24 PM)
quote: ORIGINAL: Sembee The compromised machine is in Italy on that IP address - not your network. Do you need authenticated relaying enabled? If you do not have any SMTP users (Outlook Express etc) then you can turn it off. While blocking the specific settings that you have resolves the problem short term, it doesn't help long term to deal with the issue. There are only three ways that email can be sent through your server - open relay - authenticated relay - NDR attack. Just because your server passes the open relay tests doesn't mean that is the end of it. If another machine has been attacked that could be relaying the email through your server. I don't think that is the problem here as you have identified the external machine that is using your server. Simon. We do not have any Outlook Express users. We have Exchange users and also OWA and a few OMA users. Will turning off Authenticated Relay effect this? how would i go about turning it off? what options would help fight off these attackers and yet not have any effect on our current setup? Joe

Sembee -> RE: Phishing Problem (30.Apr.2008 3:57:30 PM)
If you do not have any SMTP users then you can turn off authenticated SMTP. It is not required for the correct operation of Exchange with Outlook, OWA, OMA and EAS clients. It is disabled on the relay settings of the SMTP virtual server. It says something like "All users who authenticate to relay, regardless of the list above". Disable the option and then restart the SMTP virtual server. Simon.

mdwasim -> RE: Phishing Problem (30.Apr.2008 4:42:07 PM)
I think this will work for everyone, coz since last 7-8days I have kept all authenticated users option disabled and added users in "users" option who need to authenticate for using outlook express manually. best and easy way is to create a security group like "auth_users" and all this user in users options. this will make easy to give permissions to required users. I will update whenever any issue comes arises. Thanks Simon for your inputs..

Page: [1]