Server sending a bucketload of Spam (SBS2003

Forums › Microsoft Windows › Server sending a bucketload of Spam (SBS2003 - Exch SP2)

trig42

5809 posts

Uber Geek

ID Verified

#97539 16-Feb-2012 12:09

I have a server that looks like it is being used as a relay, it's SMTP queue is full of spam (Nigerian Scam letters).
It is NOT an open relay - I have tested.

Question: How do I find out what (or from where - internal or external) the messages are originating.
At the moment I am remote, but will be heading on site shortly (have to clear the decks to get there).
I have enabled message tracking (on full logging), but can't see anything helpful.
It looks like the attack has stopped (it happened overnight) but it is the second time in a week (different emails going out).

rhysb

435 posts

Ultimate Geek

Trusted

#582309 16-Feb-2012 12:38

Possibly a hacked account. Are you using secure passwords? You could try looking on your firewall and block the subnet they are on.

rhysb

435 posts

Ultimate Geek

Trusted

#582315 16-Feb-2012 12:46

Also disable the option to allow authenticated users to relay. Found under Server->servername->Protocols->SMTP right click default, Access tab, Relay restrictions.

Kraven

729 posts

Ultimate Geek

#582316 16-Feb-2012 12:46

If you've got port 25 open to the world you should either:

1) Remove the tick from "Allow all computers which successfully authenticate to relay, regardless of the list above" from the Relay Restrictions screen on your Default SMTP Virtual Server.

2) If you don't want to do the above, ensure that all user accounts, including any built-in or test accounts, are secure. That means either settings good passwords on them or denying them relay access via permissions.

gjm

808 posts

Ultimate Geek

#582331 16-Feb-2012 13:11

also check that it isnt one of the pc's on the network trying to send it through the exchange server

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

trig42

5809 posts

Uber Geek

ID Verified

#582332 16-Feb-2012 13:11

Kraven: If you've got port 25 open to the world you should either:

1) Remove the tick from "Allow all computers which successfully authenticate to relay, regardless of the list above" from the Relay Restrictions screen on your Default SMTP Virtual Server.

2) If you don't want to do the above, ensure that all user accounts, including any built-in or test accounts, are secure. That means either settings good passwords on them or denying them relay access via permissions.

OK, I can do that. If I do 1), all authenticated users in the office will still be able to send mail wont they?

rhysb

435 posts

Ultimate Geek

Trusted

#582339 16-Feb-2012 13:19

trig42: all authenticated users in the office will still be able to send mail wont they?

Yes, you should have the local subnet entered into the allowed adresses. Also outlook connected to exchange uses a different mechanism to place mesaages in the queue.

trig42

5809 posts

Uber Geek

ID Verified

#582365 16-Feb-2012 13:53

I think I have narrowed it down, and it does not look like it is coming from inside the network.

In the message tracking log file, under client_hostname is the IP 36.37.236.43 and the partner_name is 'user'.

I wonder how 'user' got to be able to send mail? Does 'user' mean that it the spammer is using the username/password of a 'user' on the network?

I have had everyone change their passwords to something a more secure (to much wailing and gnashing of teeth!) and blocked that IP address from connecting to the server. The mail has stopped coming into the queue, so I will see how we go.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Zeon

3916 posts

Uber Geek

Trusted

#582368 16-Feb-2012 13:56

trig42: I think I have narrowed it down, and it does not look like it is coming from inside the network.

In the message tracking log file, under client_hostname is the IP 36.37.236.43 and the partner_name is 'user'.

I wonder how 'user' got to be able to send mail? Does 'user' mean that it the spammer is using the username/password of a 'user' on the network?

I have had everyone change their passwords to something a more secure (to much wailing and gnashing of teeth!) and blocked that IP address from connecting to the server. The mail has stopped coming into the queue, so I will see how we go.

Sounds like there is a user account called "user" in your active directory which as an insecure password. Try disabling the account.

Speedtest 2019-10-14

trig42

5809 posts

Uber Geek

ID Verified

#582372 16-Feb-2012 14:01

I looked for that. Can't find it. Might have a better look.

I think that the 'user' mentioned points more to the type of login (as opposed to Power user or Administrator)