Prev: Un-deleting Outlook folders
Next: Upgrading to 2010.
From: Chaplain Doug on 1 Apr 2010 14:44
I have identified some kind of attack or infected workstation that is placing
emails into queues in my Exchange Server. They all come from the same sender
(securizza(a)bpr.it) and are directed to mutiple foreign recipients. It has
the appearance of relaying through our Exchange Server, although all the
settings in Exchange server are set to not allow another domain to relay to
other domains through our server.

Until I can track down how this is happening, is there a way for me to set
up Exchange Server to detect this sender (or his domain) and never even
process the messages into a queue? Any help will be GREATLY appreciated.
Thanks
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org
From: Chaplain Doug on 1 Apr 2010 14:50
I read this on a site that experienced the same spam issue with the same
source:

"Mail server emitting phish spam. Likely abused using SMTP AUTH
authentication through an account whose password was guessed or stolen by
criminals."

Is there a way for me to determine which account this spammer is using to
gain access to our Exchange queues?
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org


"Chaplain Doug" wrote:

> I have identified some kind of attack or infected workstation that is placing
> emails into queues in my Exchange Server. They all come from the same sender
> (securizza(a)bpr.it) and are directed to mutiple foreign recipients. It has
> the appearance of relaying through our Exchange Server, although all the
> settings in Exchange server are set to not allow another domain to relay to
> other domains through our server.
>
> Until I can track down how this is happening, is there a way for me to set
> up Exchange Server to detect this sender (or his domain) and never even
> process the messages into a queue? Any help will be GREATLY appreciated.
> Thanks
> --
> Dr. Doug Pruiett
> Good News Jail & Prison Ministry
> www.goodnewsjail.org
From: Rich Matheisen [MVP] on 1 Apr 2010 21:39
On Thu, 1 Apr 2010 11:50:17 -0700, Chaplain Doug
<ChaplainDoug(a)discussions.microsoft.com> wrote:

>I read this on a site that experienced the same spam issue with the same
>source:
>
>"Mail server emitting phish spam. Likely abused using SMTP AUTH
>authentication through an account whose password was guessed or stolen by
>criminals."
>
>Is there a way for me to determine which account this spammer is using to
>gain access to our Exchange queues?

Is there a need for you to have your server used as a SMTP relay by
anyone? If not, just stop allowing authenticated users to relay.

If you know the sender's email address, and you're running Exchange
2003, and you collect the needed information in the SMTP log files,
you'll find the AUTH command and the base64-encoded user name in the
log files.

If you look at that application event log you should see the
authentications in there, too. If not, turn up the diagnostics logging
a notch.
---
Rich Matheisen
MCSE+I, Exchange MVP
From: Chaplain Doug on 2 Apr 2010 07:46
Thanks Rick for all your replies to my recent queries. How would I get to
the SMTP logs if they exist? How would I find out what logging is enabled in
Exchange?
--
Dr. Doug Pruiett
Good News Jail & Prison Ministry
www.goodnewsjail.org


"Rich Matheisen [MVP]" wrote:

> On Thu, 1 Apr 2010 11:50:17 -0700, Chaplain Doug
> <ChaplainDoug(a)discussions.microsoft.com> wrote:
>
> >I read this on a site that experienced the same spam issue with the same
> >source:
> >
> >"Mail server emitting phish spam. Likely abused using SMTP AUTH
> >authentication through an account whose password was guessed or stolen by
> >criminals."
> >
> >Is there a way for me to determine which account this spammer is using to
> >gain access to our Exchange queues?
>
> Is there a need for you to have your server used as a SMTP relay by
> anyone? If not, just stop allowing authenticated users to relay.
>
> If you know the sender's email address, and you're running Exchange
> 2003, and you collect the needed information in the SMTP log files,
> you'll find the AUTH command and the base64-encoded user name in the
> log files.
>
> If you look at that application event log you should see the
> authentications in there, too. If not, turn up the diagnostics logging
> a notch.
> ---
> Rich Matheisen
> MCSE+I, Exchange MVP
> .
>
From: Rich Matheisen [MVP] on 2 Apr 2010 19:45
On Fri, 2 Apr 2010 04:46:01 -0700, Chaplain Doug
<ChaplainDoug(a)discussions.microsoft.com> wrote:

>Thanks Rick for all your replies to my recent queries. How would I get to
>the SMTP logs if they exist? How would I find out what logging is enabled in
>Exchange?

If you haven't changed the location of the log files or the number of
SMTP Virtual Servers, a simple way to get there is to "Start | Run |
logfiles | Enter". From there you'll see a directory named SMTPSVC1.
You log files will e in there.

The SMTP logging is managed from the property page of the SMTP
protocol in the Exchange System Manager.
---
Rich Matheisen
MCSE+I, Exchange MVP
 | 
Pages: 1
Prev: Un-deleting Outlook folders
Next: Upgrading to 2010.