Results 1 to 13 of 13

Thread: Exchange & Relay HELP ASAP

  1. #1

    Thread Starter
    Frenzied Member Technocrat's Avatar
    Join Date
    Jan 2000
    Location
    I live in the 1s and 0s of everyones data streams
    Posts
    1,024

    Exchange & Relay HELP ASAP

    I am having this serious problem that I need help with ASAP. I am having a spam relay problem. Someone is in our email system sending a ton of spam. I first noticed it 2 days ago. There were about a thousand messages in the queues. I killed outbound email and SMTP connections. I then wiped the queues out, which was a pain in the a$$. Then I started to look for the problem. Here is what I have found.

    Relay is on, with only one internal IP allowed to relay, which is a MFD.
    The “Allow all computers which successfully authenticate relay…” is unchecked.
    Under relay users there was “Authenticated Users” (I think that is what it said. I just removed it) and I were listed with submit and relay allow checked.
    There were only 3 critical updates that were not installed, so I did so.
    I ran MS Baseline on it and it only found a few minor things.
    Guest is disabled.

    I have caught 2 spammers in the SMTP connections. The first one I will call the smart spammer because he does small loads of spam. Usually he does 100-200 message every 4 hours or so. I think if it was just him I might have never noticed. Then there is the stupid spammer. He is new from what I can tell from the logs. He is sending tons of ***** as fast as our mail server will take it. He is the one that made the mail server choke and that’s when I noticed. Now for the part that REALLY has me concerned. The two times I have seen him in the SMTP connections he it shows the user as being Technocrat. Now our network doesn’t have a user name Technocrat on it, it has my real name. I know user on that screen is the server name and not a user. But come on. I guess it could be just a coincidence, but it’s got me really freaked out.

    But somehow they are still getting in. My best guess is they must have someone’s username and password. I need help really desperately. We have a couple of high powered users that need to have the ability to relay. So having it off is not an option.

    My next thought is to just add the users that need to do relaying and see if that fixes it. But I really want to know how they are getting in.

    So I need some suggestions on what to do?
    I also need to know if there is a log somewhere for when someone logs in to do relay. I want to know if they are using a user name and password, which one it is so I can fix it.

    ANY HELP is welcomed.
    MSVS 6, .NET & .NET 2003 Pro
    I HATE MSDN with .NET & .NET 2003!!!

    Check out my sites:
    http://www.filthyhands.com
    http://www.techno-coding.com


  2. #2
    VBA Nutter visualAd's Avatar
    Join Date
    Apr 2002
    Location
    Ickenham, UK
    Posts
    4,906
    Well I guess you need to find out whether this spammer is coming from the inside or the outside.

    You mentioned that only one internal IP is allowed to relay - if the SMTP server is doing its job and you have secured all other methods of entry then this host may have been hijacked by the spammer via a trojan alllowing him to make a connection to the SMTP server through the trusted host.

    Anyhow, what you need to do is find exactly where this connection is coming from and every server it has been through - once you've done that you will then be able to find the weakness and hopoefully plug it in. One way of doing this is to check the received headers in the spam.- this will contain the IP address of all the SMTP servers the mail has been relayed through and more importatntly the IP address of the host that sent the mail.

    Hop this help and good luck with sorting it.
    PHP || MySql || Apache || Get Firefox || OpenOffice.org || Click || Slap ILMV || 1337 c0d || GotoMyPc For FREE! Part 1, Part 2

    | PHP Session --> Database Handler * Custom Error Handler * Installing PHP * HTML Form Handler * PHP 5 OOP * Using XML * Ajax * Xslt | VB6 Winsock - HTTP POST / GET * Winsock - HTTP File Upload

    Latest quote: crptcblade - VB6 executables can't be decompiled, only disassembled. And the disassembled code is even less useful than I am.

    Random VisualAd: Blog - Latest Post: When the Internet becomes Electricity!!


    Spread happiness and joy. Rate good posts.

  3. #3

    Thread Starter
    Frenzied Member Technocrat's Avatar
    Join Date
    Jan 2000
    Location
    I live in the 1s and 0s of everyones data streams
    Posts
    1,024
    I am not sure how to look at a header of an email that does not come to you. If you could help me out there I will look.

    The SMTP logs show that the email is being relayed I am pretty sure. It shows a connection from the outside sending and email to someone outside of the network. The SMTP log does show the IP address of the sender and it mapped back to an ISP in China. So I am PRETTY sure but not positive about that. But when the MDF was installed I had to add its IP to the relay so it would send email. Until that was done it would just error out.

    Also when I removed the users from the relay setup it appears to have stopped. I will know better in the next few days because the smart spammer doesnt try anything till 5am my time.
    MSVS 6, .NET & .NET 2003 Pro
    I HATE MSDN with .NET & .NET 2003!!!

    Check out my sites:
    http://www.filthyhands.com
    http://www.techno-coding.com


  4. #4
    Frenzied Member Ideas Man's Avatar
    Join Date
    Aug 2002
    Location
    Australia
    Posts
    1,718
    Turn outgoing authentication on. This will force the users who relay through your server to first logon via the method you have set up before the SMTP server will queue messages to be sent.
    I use Microsoft Visual Basic 2005. (Therefore, most code samples I provide will be based around the .NET Framework v2.0, unless otherwise specified)

  5. #5

    Thread Starter
    Frenzied Member Technocrat's Avatar
    Join Date
    Jan 2000
    Location
    I live in the 1s and 0s of everyones data streams
    Posts
    1,024
    Where might I find that?
    MSVS 6, .NET & .NET 2003 Pro
    I HATE MSDN with .NET & .NET 2003!!!

    Check out my sites:
    http://www.filthyhands.com
    http://www.techno-coding.com


  6. #6
    Retired VBF Adm1nistrator plenderj's Avatar
    Join Date
    Jan 2001
    Location
    Dublin, Ireland
    Posts
    10,359
    Are you using NAT on your network. Does your inbound mail come through one particular router, or does it all come straight through to your server?
    Microsoft MVP : Visual Developer - Visual Basic [2004-2005]

  7. #7

    Thread Starter
    Frenzied Member Technocrat's Avatar
    Join Date
    Jan 2000
    Location
    I live in the 1s and 0s of everyones data streams
    Posts
    1,024
    Basic Authentication was on. So was Intergrated Windows Authentication.



    We are, but the mail address is static.

    Email comes through a PIX, to a cisco router, to the exchange server.
    MSVS 6, .NET & .NET 2003 Pro
    I HATE MSDN with .NET & .NET 2003!!!

    Check out my sites:
    http://www.filthyhands.com
    http://www.techno-coding.com


  8. #8
    Retired VBF Adm1nistrator plenderj's Avatar
    Join Date
    Jan 2001
    Location
    Dublin, Ireland
    Posts
    10,359
    Compare your Exchange settings to ours:
    Attached Images Attached Images  
    Microsoft MVP : Visual Developer - Visual Basic [2004-2005]

  9. #9
    Retired VBF Adm1nistrator plenderj's Avatar
    Join Date
    Jan 2001
    Location
    Dublin, Ireland
    Posts
    10,359
    10.0.0.1 is NT1, which is the backend Exchange Server & PDC.
    10.0.0.28 is my laptop, which I am doing some development on and I've needed to test relaying e-mail.

    Attached Images Attached Images  
    Microsoft MVP : Visual Developer - Visual Basic [2004-2005]

  10. #10
    Retired VBF Adm1nistrator plenderj's Avatar
    Join Date
    Jan 2001
    Location
    Dublin, Ireland
    Posts
    10,359
    From your machine, telnet to your exchange system on port 25.
    Type in :

    EHLO
    <<< you'll receive some hello settings
    MAIL FROM: [email protected]
    <<< should receive an OK
    RCPT TO: [email protected]
    <<< if relaying is disabled, you'll receive a relay error.

    Let me know what happens...
    Microsoft MVP : Visual Developer - Visual Basic [2004-2005]

  11. #11
    Retired VBF Adm1nistrator plenderj's Avatar
    Join Date
    Jan 2001
    Location
    Dublin, Ireland
    Posts
    10,359
    I just checked for you, and your server is not acting as a relay at present.
    Microsoft MVP : Visual Developer - Visual Basic [2004-2005]

  12. #12

    Thread Starter
    Frenzied Member Technocrat's Avatar
    Join Date
    Jan 2000
    Location
    I live in the 1s and 0s of everyones data streams
    Posts
    1,024
    I dont have a conector so I dont have those first settings.



    I dont have the allow all users check box checked.

    I also never was a relay according to most online relay checkers. Which make this seem like there is a hole in my security some where.

    I also only readded 4 users to the relay. Thus far no spammers. But its only been about 1 1/2 days since its been set.

    So the best I can figure is they must have an account they can use some where. I can't figure it out. There is not a test, user, or guest accounts. There is an admin and administrator accounts but they have a password that is hard to break and impossible to guess.

    If I can figure out a way to monitor how the spammer authenticate, then I would turn everyone back on and see what happens.
    Attached Images Attached Images  
    MSVS 6, .NET & .NET 2003 Pro
    I HATE MSDN with .NET & .NET 2003!!!

    Check out my sites:
    http://www.filthyhands.com
    http://www.techno-coding.com


  13. #13
    Retired VBF Adm1nistrator plenderj's Avatar
    Join Date
    Jan 2001
    Location
    Dublin, Ireland
    Posts
    10,359
    Don't use authentication for outbound SMTP. Your server doesn't appear to be relaying at the moment anyway.
    Microsoft MVP : Visual Developer - Visual Basic [2004-2005]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width