• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Mass Sender attack

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Mass Sender attack Page: [1]
Login
Message << Older Topic   Newer Topic >>
Mass Sender attack - 29.Mar.2012 9:22:03 AM   
defiantclass1

 

Posts: 218
Joined: 17.Jul.2006
Status: offline
Months ago we got infected by a mass sender attack which used our server to send mail. I thought I had things buttoned down pretty well but it still got in, installed, and started sending. While trying to clean it up, I was talking to guys at MX Toolbox. They explained that since I have to have port 80 open for mail to go through, and that was how the infection got to the server, there really wasn't anything I could do about it. I started using their service and our mail now goes through them first. They scrub it and then it comes to us. The problem is, it's several hundred dollars a month.

I don't think they are telling me a tail or anything, they do good work, but is there anyway I can protect against this kind of problem on my own? I have a hardware firewall (Watchguard) and my Exchange is configured properly according to the best practices procedures I have learned here and other Exchange sources.

Is this a common problem? I mean, requiring this type of service as a protection method?

Thanks
Post #: 1
RE: Mass Sender attack - 29.Mar.2012 9:42:08 AM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Please confirm your facts.

Port 80 is HTTP and isn't a requirement for mail. It may be a requirement for something else installed on your Exchange server which may or may not be able to be moved to a different server.

Port 25 is SMTP and has to be open in order to send/receive mail. Having another system send mail through yours is typically caused by being an open relay. That is easily remedied by limiting the systems allowed to relay.

An external service is common and benefits you in a couple of key areas. External filtering cuts down the number of messages your systems have to process making them more efficient, and therefore cuts down your Internet bandwidth consumption.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to defiantclass1)
Post #: 2
RE: Mass Sender attack - 29.Mar.2012 9:50:52 AM   
defiantclass1

 

Posts: 218
Joined: 17.Jul.2006
Status: offline
You are correct, I meant port 25, sorry. I definitely am not an open relay. I've made sure of that. And I understand, and agree with, the other benefits you mentioned below but considering the cost they are benefits I could do without. But if I cannot do anything about these types of attacks, then I'll keep the service. That's why I'm asking, is there nothing else I can do?

(in reply to uemurad)
Post #: 3
RE: Mass Sender attack - 29.Mar.2012 9:52:39 AM   
defiantclass1

 

Posts: 218
Joined: 17.Jul.2006
Status: offline
You are correct, I meant port 25, sorry. I definitely am not an open relay. I've made sure of that. And I understand, and agree with, the other benefits you mentioned below but considering the cost they are benefits I could do without. But if I cannot do anything about these types of attacks, then I'll keep the service. That's why I'm asking, is there nothing else I can do?

(in reply to uemurad)
Post #: 4
RE: Mass Sender attack - 29.Mar.2012 10:10:04 AM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
I'm still trying to understand the nature of your original attack. It's difficult to propose a solution without completely understanding the problem. What were you told about the attack? Where did it get installed and how?

Viral payloads may be transported by SMTP (TCP25), but require some other action to activate (like a user opening an attachment or clicking on a link). Using a filter will reduce that likelihood by blocking viruses and trojans from reaching your users. That filter could be an external service, an on-site appliance, or an on-site application.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to defiantclass1)
Post #: 5
RE: Mass Sender attack - 29.Mar.2012 10:24:26 AM   
defiantclass1

 

Posts: 218
Joined: 17.Jul.2006
Status: offline
Yeah, you know, I wish I could answer all of that, but I really can't. One day I found out we were getting a lot of bounces backs on our sent messages. They were being denied by recipient mail servers. I starting looking into why and discovered my server was blacklisted. I started looking into why that was, and I was on the MX Toolbox site using their tools, and started talking to them. Together we started looking into it further and discovered a mass sender file running on my server. How it got there, I don't know. How it activated, I don't know. I just know that we fixed it and we started talking about how to avoid that happening in the future and now I am here.

If I'm not giving enough info it's because I don't have any more to give. I currently don't have a problem except I'm paying a lot of money and would rather not if I could avoid it. Hence the question to those you might know.

(in reply to uemurad)
Post #: 6
RE: Mass Sender attack - 29.Mar.2012 11:05:15 AM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
I completely understand your frustration.

In this day and age, you are taking a huge risk by not having some sort of AV system in place. You did not say if you had anything else currently in your environment to deal with virus and spam.

Sorry - I don't have a specific recommendation because we don't have enough information about the problem. All I can offer is advice.

There are tradeoffs between in-house and external filtering. In-house requires operational support, and external requires repeated expenditures.

At this point in time, you're talking about a business decision. Your management must define the acceptable level of risk along with a budget for Email services, factoring in the importance to the business of Email communications with the outside world.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to defiantclass1)
Post #: 7
RE: Mass Sender attack - 29.Mar.2012 11:12:25 AM   
defiantclass1

 

Posts: 218
Joined: 17.Jul.2006
Status: offline
That's good, what I hear you saying is, it's a problem that needs to be dealt with one way or the other through some means of filtering or other solution on that level, be it in-house or external. One creates the need for internal manpower and software, the other creates subscription services. It's a matter of what works best for us as a company. And that really answers my question. I was just looking for something I might have overlooked or had not heard about that would help easier and cheaper than what we are doing between our configuration and external services. But it sounds like what we're currently doing is not unreasonable.

Thanks a lot!!!

(in reply to uemurad)
Post #: 8
RE: Mass Sender attack - 29.Mar.2012 1:43:07 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
That's exactly what I am saying about the tradeoffs in choices. Also, if you eventually discover how the attack happened, that may cause you to rethink your decision.

Good luck!

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to defiantclass1)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Mass Sender attack Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter