1

I have a client that is running SBS 2003 Std. and they have some sort of mass mailer that is spamming mail. We are running the most current defs. of Vipre anti-virus, we are not a setup as a relay, we changed the administrator password, and recipient filtering is turned on. All the emails are from postmaster@domain.org. I know this smells like a reverse DNS attack or a directory harvesting, but we have GFI Mail Essentials running and it is not showing thousands of inbound messages only thousands of outbound messages. They have been blacklisted once and I have cleared them off, and I have been keeping an eye on the mail queue to keep them from getting blacklisted again. I really need some help, I don't know what else can be done to solve this issue!?

EEAA
  • 109,363
  • 18
  • 175
  • 245
msindle
  • 605
  • 8
  • 26
  • Get thee to another antivirus vendor, or scan for malware using another tool. –  May 31 '11 at 05:06
  • I've scanned all the computers and server with Malwarebytes and superantispyware – msindle May 31 '11 at 05:12
  • I'd seriously consider disconnecting the box while you deal with this - no need to ruin their reputation or annoy spam victims further. Other than that' I'd wonder if an account has been compromised, so the mail appears to be legit to your checks. – Rob Moir May 31 '11 at 05:25
  • I have it narrowed down to 6 computers (the 6 that were on this weekend). This is a medical clinic, and the 6 computers listed are 1 Electronic Medical Record Server, 1 AD Server, 4 desktops. I cant take the EMR or AD server offline, but I dont have any reason to believe that they have been compromised. Everyone in the domain is a user, with admin privileges on their local computer. They shouldn't be allowed to send mail out except through the mail server...right? – msindle May 31 '11 at 05:32
  • 1
    @msindle: I'd avoid leaving your users as local administrators on their workstations. Like Evan Anderson said below: tell your firewall to drop outbound TCP 25 from the entire subnet except your SBS box, watch the firewall logs for source IPs on your network getting dropped on TCP 25 and there's your culprit. – gravyface May 31 '11 at 09:41
  • 1
    You're talking about a medical clinic, where personal patient data is handled, and users are local admins? *boggle* - that's just asking for trouble :-( – Rob Moir May 31 '11 at 10:08

2 Answers2

3

It's unclear to me what you're seeing.

I'd turn on "Message Tracking" in Exchange if it's not already enabled (see http://support.microsoft.com/kb/246856) and verify that the Exchange Server is or isn't the source of the messages.

I'd stick a rule in the edge firewall to deny outbound connections on TCP port 25 except from the Exchange Server computer. That really should be standard-issue firewall rule in every LAN-- only authorized mail servers should be talking to the Internet via TCP port 25.

If the messages really are coming from Exchange then Message Tracking ought to give you some leads to track down the source. I suspect you've got an rogue SMTP mailer running on one of the PCs, though. The firewall rule should stop that and, assuming your firewall can do some logging, should show you which PC is sourcing the traffic.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • 1
    +1 another reason why I like anti-spam gateway services vs. in-house software. You can set them as your smarthost and enable _outbound_ filtering as well in case your Exchange box does get compromised. – gravyface May 31 '11 at 09:37
1

Your question is a bit unclear: You say they "they have some sort of mass mailer that is spamming mail". I assume you mean that it is unintentional. Is that mail all going through the server (check the queues, and is that an Exchange 2003 Server)? It is also not clear if those 6 client computers are spamming through the Exchange Server, or if they are sending directly to port 25.

I have seen Exchange 2003, fully patched, technically configured correctly, still have holes that allowed relays. Later patches fix them, but don't count on that now. I would definitely be planning on moving to SBS 2011 even if you don't do it immediately.

I am with the other guys: I have a firewall rule that ONLY lets the mail server port 25 outbound, and an explicit deny rule for all others. So even if you get a spam-sending virus on every PC, they can't send directly, and your ISP and the world do not hate you. This is all easier to do if you have a very good IP scheme in place, otherwise, you may have to make multiple rules. It sounds like you are infected somehow even if you have not found it yet.

To expound on what gravyface said, a service like Google's Postini can replace your current local filters very cheaply. All the mail comes in and goes out through them, and is scanned for SPAM/viruses. Then you can allow port 25 in ONLY from Google's servers on your firewall, so there is no way to be relayed through unless Google ever screws up somehow. This also has the benefit that if you don't have a secondary MX record, as some small companies don't, all the mail goes to Google's 4 servers they give you MX records for, and even if your server is down, the mail queues up until your server gets back on-line.

KCotreau
  • 3,381
  • 3
  • 20
  • 24