I am having this serious problem that I need help with ASAP. I am having a spam relay problem. Someone is in our email system sending a ton of spam. I first noticed it 2 days ago. There were about a thousand messages in the queues. I killed outbound email and SMTP connections. I then wiped the queues out, which was a pain in the a$$. Then I started to look for the problem. Here is what I have found.
Relay is on, with only one internal IP allowed to relay, which is a MFD.
The “Allow all computers which successfully authenticate relay…” is unchecked.
Under relay users there was “Authenticated Users” (I think that is what it said. I just removed it) and I were listed with submit and relay allow checked.
There were only 3 critical updates that were not installed, so I did so.
I ran MS Baseline on it and it only found a few minor things.
Guest is disabled.
I have caught 2 spammers in the SMTP connections. The first one I will call the smart spammer because he does small loads of spam. Usually he does 100-200 message every 4 hours or so. I think if it was just him I might have never noticed. Then there is the stupid spammer. He is new from what I can tell from the logs. He is sending tons of ***** as fast as our mail server will take it. He is the one that made the mail server choke and that’s when I noticed. Now for the part that REALLY has me concerned. The two times I have seen him in the SMTP connections he it shows the user as being Technocrat. Now our network doesn’t have a user name Technocrat on it, it has my real name. I know user on that screen is the server name and not a user. But come on. I guess it could be just a coincidence, but it’s got me really freaked out.
But somehow they are still getting in. My best guess is they must have someone’s username and password. I need help really desperately. We have a couple of high powered users that need to have the ability to relay. So having it off is not an option.
My next thought is to just add the users that need to do relaying and see if that fixes it. But I really want to know how they are getting in.
So I need some suggestions on what to do?
I also need to know if there is a log somewhere for when someone logs in to do relay. I want to know if they are using a user name and password, which one it is so I can fix it.
ANY HELP is welcomed.
MSVS 6, .NET & .NET 2003 Pro
I HATE MSDN with .NET & .NET 2003!!!
Check out my sites:
http://www.filthyhands.com
http://www.techno-coding.com
Well I guess you need to find out whether this spammer is coming from the inside or the outside.
You mentioned that only one internal IP is allowed to relay - if the SMTP server is doing its job and you have secured all other methods of entry then this host may have been hijacked by the spammer via a trojan alllowing him to make a connection to the SMTP server through the trusted host.
Anyhow, what you need to do is find exactly where this connection is coming from and every server it has been through - once you've done that you will then be able to find the weakness and hopoefully plug it in. One way of doing this is to check the received headers in the spam.- this will contain the IP address of all the SMTP servers the mail has been relayed through and more importatntly the IP address of the host that sent the mail.
I am not sure how to look at a header of an email that does not come to you. If you could help me out there I will look.
The SMTP logs show that the email is being relayed I am pretty sure. It shows a connection from the outside sending and email to someone outside of the network. The SMTP log does show the IP address of the sender and it mapped back to an ISP in China. So I am PRETTY sure but not positive about that. But when the MDF was installed I had to add its IP to the relay so it would send email. Until that was done it would just error out.
Also when I removed the users from the relay setup it appears to have stopped. I will know better in the next few days because the smart spammer doesnt try anything till 5am my time.
MSVS 6, .NET & .NET 2003 Pro
I HATE MSDN with .NET & .NET 2003!!!
Check out my sites:
http://www.filthyhands.com
http://www.techno-coding.com
Turn outgoing authentication on. This will force the users who relay through your server to first logon via the method you have set up before the SMTP server will queue messages to be sent.
I use Microsoft Visual Basic 2005. (Therefore, most code samples I provide will be based around the .NET Framework v2.0, unless otherwise specified)
10.0.0.1 is NT1, which is the backend Exchange Server & PDC.
10.0.0.28 is my laptop, which I am doing some development on and I've needed to test relaying e-mail.
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
From your machine, telnet to your exchange system on port 25.
Type in :
EHLO
<<< you'll receive some hello settings
MAIL FROM: [email protected]
<<< should receive an OK
RCPT TO: [email protected]
<<< if relaying is disabled, you'll receive a relay error.
Let me know what happens...
Microsoft MVP : Visual Developer - Visual Basic [2004-2005]
I dont have a conector so I dont have those first settings.
I dont have the allow all users check box checked.
I also never was a relay according to most online relay checkers. Which make this seem like there is a hole in my security some where.
I also only readded 4 users to the relay. Thus far no spammers. But its only been about 1 1/2 days since its been set.
So the best I can figure is they must have an account they can use some where. I can't figure it out. There is not a test, user, or guest accounts. There is an admin and administrator accounts but they have a password that is hard to break and impossible to guess.
If I can figure out a way to monitor how the spammer authenticate, then I would turn everyone back on and see what happens.
MSVS 6, .NET & .NET 2003 Pro
I HATE MSDN with .NET & .NET 2003!!!
Check out my sites:
http://www.filthyhands.com
http://www.techno-coding.com