sbs server 2003 being spammed, please help

Forums › IT Pro and developers › sbs server 2003 being spammed, please help

gareth41

604 posts

Ultimate Geek
+1 received by user: 28

Topic # 58023 4-Mar-2010 18:39

im running sbs server 2003 with exchange, recently the system has been very slow and emails taking longer than usual to send, sometimes not at all untill system restart, they sit in the queue folder also. Looking at the exchange log I have found the following:

2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC - AKLSERVER09 192.168.5.2 XXXX@aol.com 1020 AKLSERVER09md6wUZLE0000a61a@XXXXXX.co.nz 0 0 2990 1 2010-3-4 3:24:35 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -

2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC RELAY AKLSERVER09 192.168.5.2 XXXX@aol.com 1031 AKLSERVER091KVHYS8Y0000a5f4@XXXXX.co.nz 0 0 2994 1 2010-3-4 3:24:29 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -

2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC - AKLSERVER09 192.168.5.2 XXXX@aol.com 1020 AKLSERVER09pqpEq8hZ0000a61b@XXXXX.co.nz 0 0 2994 1 2010-3-4 3:24:36 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -

2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC RELAY AKLSERVER09 192.168.5.2 XXXX@aol.com 1031 AKLSERVER09VhjNIjmM0000a616@XXXXXX.co.nz 0 0 2990 1 2010-3-4 3:24:33 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -

2010-3-4 4:17:15 GMT 41.130.3.209 olajide-PC - AKLSERVER09 192.168.5.2 XXXX@aol.com 1020 AKLSERVER090Qzfud7b0000a611@XXXX.co.nz 0 0 2993 1 2010-3-4 3:24:33 GMT 0 Version: 6.0.3790.3959 - - career.entry@cocacola.com -

Basicly there are hunders of entries like thisin the log, where emails are addresses to lots of different random email addresses at aol, hotmail, yahoo etc... the from address is always career.entry at cocacola dot com.

The computer name where the emails originate can vary, in this log its olajide-PC, at the beginning of the log its troojan-PC with an ip address also logged of 41.153.131.103.

Now problem is I just cant work out where these emails are comming from, im assuming someone of something is trying to use the exchange server as a spam distribution point, but cant work out how they are connecting in. I have double and triple checked the SMTP settings and all is secure, only local lan pc's and users who successfully authenticate are allowed to relay using the smtp server.

I have two possible scenarios as to why the server is being spammed, #1 one of the accounts have been compromised, #2 one of the local lan pc's is infected. Highly unlikely one of the lan pc's is infected given the ip address logged 41.153.131.103, also both the computer names "olajide-PC" and "troojan-PC" do not exist on the local network.

My next point of attack will be to analyse the smtp logs, because im assuming possibly one of the accounts have been compromised, there are test accounts currently existing which were used for testing purposes after the initial migration from the old server, these have weak passwords so possibly compromised, and also some of the exchange users have weak passwords, so may need to set a password policy and force them to change their passwords at next logon to domain.

gareth41

604 posts

Ultimate Geek
+1 received by user: 28

Reply # 304524 4-Mar-2010 19:29

somethings not right, and i mean with geekzone. my previous post is showing as being posted on the 3rd but its actually the 4th!, also not appearing at top of forum category after I posted initial post, probably because of date problem

ZollyMonsta

2661 posts

Uber Geek
+1 received by user: 222

Trusted

Reply # 304538 4-Mar-2010 19:57

It's showing as being posted on the 4th when I look at it :)

Check out my LPFM Radio Station at www.thecheese.co.nz

Regs

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted

Microsoft NZ

Subscriber

Reply # 304571 4-Mar-2010 20:54

ZollyMonsta: It's showing as being posted on the 4th when I look at it :)

ditto for me

Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

Regs

Infrastructure Geek
4056 posts

Uber Geek
+1 received by user: 195

Trusted

Microsoft NZ

Subscriber

Reply # 304575 4-Mar-2010 21:04

regarding the dodgy emails.... a quick google returns some results that indicate that this probably some sort of scam email to phish for details for a possible identity theft. the IP addresses appear to be coming out of egypt and paris if the tracerts are anything to go by.

i would first recommend that you check to ensure that SMTP Relay is still disabled on your server, then put in some rules to block the specific IP addresses and especially the sender (career.entry@cocacola.com ) as it doesnt change.

you can test for relay online, abuse.net has a series of tests that can easily be run: http://www.abuse.net/relay.html

Technical Evangelist
Microsoft NZ
about.me/nzregs
Twitter: @nzregs

freitasm

BDFL - Memuneh
60771 posts

Uber Geek
+1 received by user: 11663

Administrator

Trusted

Geekzone

Lifetime subscriber

Reply # 304583 4-Mar-2010 21:31

gareth41: somethings not right, and i mean with geekzone. my previous post is showing as being posted on the 3rd but its actually the 4th!, also not appearing at top of forum category after I posted initial post, probably because of date problem

It shows at the top of the forum - I've moved it to IT Pro, since you posted in the wrong forum. As for the date, go to your profile page and adjust your timezone.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management |

gareth41

604 posts

Ultimate Geek
+1 received by user: 28

Reply # 304584 4-Mar-2010 21:34

I think I have found the cause, a user account with username "temp" and password "temp" was in the active directory, I assume this was used to authenticate on the SMTP server, ip 41.153.131.103 was authenticating as "temp" and then sending its spam. im assuming a bot has initially connected to the SMTP and tried a dictionary attack of common usernames and passwords to find the "temp" account and its password.

Just goes to show that when a server is made active on the internet, strong passwords need to be used, and also an account lockout policy to kick in after a set number of invalid authentication attempts, also non used accounts should disabled untill they are needed again, or deleted if not needed.

amanzi

851 posts

Ultimate Geek
+1 received by user: 68

Trusted

Reply # 304612 4-Mar-2010 22:36

Even with a username and password, nobody should be able to relay off your SMTP server from the internet. Did you try the link that Regs sent you above? That will tell you if your server is an open relay or not. Also, make sure that you keep up to date with all server patches - an unpatched Windows server accessible from the internet is a dangerous thing. What ports do you have open to your server?

gareth41

604 posts

Ultimate Geek
+1 received by user: 28

Reply # 304618 4-Mar-2010 22:59

thanks, have tried the link, no relays accepted so SMTP appears secure, have also disabled SMTP authentication from the internet, so the only connections the SMTP will accept now are from the LAN subnet, or computers connected thru VPN. and of course email can still be sent using outlook web access and from the iphones syncing with exchange.

The ports open are:
TS 3389
Web 80
https 443
FTP 21
ftp data 20
pop3 110
smtp 25
vnc 5900
pptp vpn 1723

if users need to send email remotely, they have a few options, outlook web access, using iphone on exchange, or connecting thru vpn and then connecting with outlook to the exchange server.

should I be closing the pop3 port? im assuming all email thats sent and receieved by the exchange server is thru the SMTP? pop3 is just used for standard pop3 access using an email client like outlook express right?

amanzi

851 posts

Ultimate Geek
+1 received by user: 68

Trusted

Reply # 304624 4-Mar-2010 23:13

Your're right, you shouldn't need POP3 unless you want people to be able to download emails with Outlook Express. But that's *really* a bad idea as the entire protocol is unencrypted. Do you need port 80 open - most SBS servers don't. And I would rather connect via the VPN first and then remote onto the server, so you should be able to close 3389 and 5900 too. Same goes for FTP - do you need this?

As for the SMTP relay - on a typical SBS box, the only client that needs to relay is itself. In other words, no other computers should need to relay off your SBS server, unless you have printers or other devices which specifically need a host to relay off. So I would set the SMTP server to only accept relays from itself, and (only if required) any other specific devices you need.

You should try to aim to keep the number of open ports to a SBS server to a minimum, so in most cases you can get away with 25, 443, and 1723.

gareth41

604 posts

Ultimate Geek
+1 received by user: 28

Reply # 304642 5-Mar-2010 00:39

thanks for the advice, there is one printer which can scan to email, this printer is using the smtp so will allow this printer only and also the sbs server to relay to itself, will block all others. as for pop3 110 will block this too and also the rdp port 3389. port 80 is open for the company website, the website is hosted on the sbs server using iis. ftp and ftpdata are open to allow the webdesigner access. there is a user called "webuser" for ftp access and has been banned from logging onto the domain, using exchange, and performing a number of other functions.

If i set up a virtual machine with linux and apache etc... could this be used for port 80 instead of iis? possibly also set up ftp access to the virtual machine ip instead for the webdesigner.

amanzi

851 posts

Ultimate Geek
+1 received by user: 68

Trusted

Reply # 304643 5-Mar-2010 00:53

Ideally you should have as few open ports as possible to your SBS box. Does the website need to be hosted on your SBS box? If not, why not host your website with a professional web hosting company and let them worry about the security of it? There is lots you can/should do differently to secure your SBS box, but for now I would recommend that you make sure you're running all the latest patches and service packs for *all* software installed on the box, and you should run the MBSA tool over the server to look for weaknesses.

quandum

204 posts

Master Geek
+1 received by user: 5

Reply # 309991 22-Mar-2010 22:26

Additionally may I recommend, all email addresses on the public website be replaced with graphics of the address, instead of text.

I would love to change the world, but they won't give me the source code

#BOFH