Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

ForumsMicrosoft WindowsServer sending a bucketload of Spam (SBS2003 - Exch SP2)


1277 posts

Uber Geek
Topic # 97539 16-Feb-2012 12:09 Send private message

I have a server that looks like it is being used as a relay, it's SMTP queue is full of spam (Nigerian Scam letters).
It is NOT an open relay - I have tested.

Question: How do I find out what (or from where - internal or external) the messages are originating.
At the moment I am remote, but will be heading on site shortly (have to clear the decks to get there).
I have enabled message tracking (on full logging), but can't see anything helpful.
It looks like the attack has stopped (it happened overnight) but it is the second time in a week (different emails going out).

  

Create new topic
415 posts

Ultimate Geek

Trusted
  Reply # 582309 16-Feb-2012 12:38 Send private message

Possibly a hacked account. Are you using secure passwords? You could try looking on your firewall and block the subnet they are on.






415 posts

Ultimate Geek

Trusted
  Reply # 582315 16-Feb-2012 12:46 Send private message

Also disable the option to allow authenticated users to relay. Found under Server->servername->Protocols->SMTP right click default, Access tab, Relay restrictions.






401 posts

Ultimate Geek
  Reply # 582316 16-Feb-2012 12:46 Send private message

If you've got port 25 open to the world you should either:

1) Remove the tick from "Allow all computers which successfully authenticate to relay, regardless of the list above" from the Relay Restrictions screen on your Default SMTP Virtual Server.

2) If you don't want to do the above, ensure that all user accounts, including any built-in or test accounts, are secure. That means either settings good passwords on them or denying them relay access via permissions.

gjm

499 posts

Ultimate Geek
  Reply # 582331 16-Feb-2012 13:11 Send private message

also check that it isnt one of the pc's on the network trying to send it through the exchange server



1277 posts

Uber Geek
  Reply # 582332 16-Feb-2012 13:11 Send private message

Kraven: If you've got port 25 open to the world you should either:

1) Remove the tick from "Allow all computers which successfully authenticate to relay, regardless of the list above" from the Relay Restrictions screen on your Default SMTP Virtual Server.

2) If you don't want to do the above, ensure that all user accounts, including any built-in or test accounts, are secure. That means either settings good passwords on them or denying them relay access via permissions.


OK, I can do that. If I do 1), all authenticated users in the office will still be able to send mail wont they? 

415 posts

Ultimate Geek

Trusted
  Reply # 582339 16-Feb-2012 13:19 Send private message

trig42: all authenticated users in the office will still be able to send mail wont they? 


Yes, you should have the local subnet entered into the allowed adresses. Also outlook connected to exchange uses a different mechanism to place mesaages in the queue. 








1277 posts

Uber Geek
  Reply # 582365 16-Feb-2012 13:53 Send private message

I think I have narrowed it down, and it does not look like it is coming from inside the network.

In the message tracking log file, under client_hostname is the IP 36.37.236.43 and the partner_name is 'user'.

I wonder how 'user' got to be able to send mail? Does 'user' mean that it the spammer is using the username/password of a 'user' on the network?

I have had everyone change their passwords to something a more secure (to much wailing and gnashing of teeth!) and blocked that IP address from connecting to the server. The mail has stopped coming into the queue, so I will see how we go.

2432 posts

Uber Geek

Trusted
Subscriber
  Reply # 582368 16-Feb-2012 13:56 Send private message

trig42: I think I have narrowed it down, and it does not look like it is coming from inside the network.

In the message tracking log file, under client_hostname is the IP 36.37.236.43 and the partner_name is 'user'.

I wonder how 'user' got to be able to send mail? Does 'user' mean that it the spammer is using the username/password of a 'user' on the network?

I have had everyone change their passwords to something a more secure (to much wailing and gnashing of teeth!) and blocked that IP address from connecting to the server. The mail has stopped coming into the queue, so I will see how we go.


Sounds like there is a user account called "user" in your active directory which as an insecure password. Try disabling the account. 







1277 posts

Uber Geek
  Reply # 582372 16-Feb-2012 14:01 Send private message

I looked for that. Can't find it. Might have a better look.

I think that the 'user' mentioned points more to the type of login (as opposed to Power user or Administrator) 

Create new topic





Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Symantec 2013 Global SMB IT Confidence Index shows top ANZ challenge is keeping up with IT trends
Posted 19-Jun-2013 12:37

Major update to Adobe Creative Cloud now available
Posted 19-Jun-2013 12:15

Geeksphere TV: Episode 23.1
Posted 19-Jun-2013 11:45

Geeksphere TV: Episode 22.1
Posted 19-Jun-2013 11:44

IBM supports business success with Unitec scholarships
Posted 18-Jun-2013 14:47

Dell simplifies delivery and implementation of end-to-end desktop virtualization solutions
Posted 18-Jun-2013 14:12


Trending now »
Hot discussions in our forums right now:

sky outbid for EPL rights
Created by JonnyCam, last reply by NonprayingMantis on 19-Jun-2013 12:39 (96 replies)
Pages... 5 6 7

Condenser Dryer: anyone has one?
Created by joker97, last reply by graemew on 18-Jun-2013 21:08 (31 replies)
Pages... 2 3

Slow YouTube Response
Created by SneakerPimps, last reply by mercutio on 18-Jun-2013 21:34 (23 replies)
Pages... 2

Calling all mazda 3/Axela owners in NZ
Created by coolcat21, last reply by Kingy on 19-Jun-2013 09:51 (37 replies)
Pages... 2 3

Stationary Vehicle Infringement Notice Has Wrong Details
Created by Wheelbarrow01, last reply by Dratsab on 18-Jun-2013 23:46 (33 replies)
Pages... 2 3

Finding strongest carrier signal in a given location
Created by timmmay, last reply by timmmay on 16-Jun-2013 14:51 (16 replies)
Pages... 2

Anyone else watching paint dry?
Created by gnfb, last reply by gnfb on 19-Jun-2013 11:04 (31 replies)
Pages... 2 3

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by bradstewart on 18-Jun-2013 23:28 (1818 replies)
Pages... 120 121 122


Geekzone Jobs »
Most recent NZ jobs in technology:

Java Engineer| very latest tools | $100k plus
Posted 19-Jun-2013 12:38

Project Manager - Agile Software Development - Glo
Posted 19-Jun-2013 12:38

Java Developers x2 - $75-$90k - CBD
Posted 19-Jun-2013 12:38

IT Technician/System Administrator
Posted 19-Jun-2013 12:38

Junior / Intermediate Support Engineer
Posted 19-Jun-2013 12:38

Test Engineer - $75-$90k - CBD
Posted 19-Jun-2013 12:38

Help Desk Support Consultant
Posted 19-Jun-2013 12:38


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.