3

For the past couple of days, at certain intervals, a huge load of email is dumped on my Exchange 2003 server and relayed out until it gets blacklisted everywhere.

Nothing like this happened for many years and I don't think the server is an open-relay. Online tests on the web say it's not, and the configurations are as follows:

  • On the smtp properties window, access tab, relay button; "only the list below" is checked, the list is empty and "all computers that successfully authenticate" is checked.
  • On the Authentication button, all three authentication options are enabled.

I need this server to relay messages from the internal network to the outside, but I also need it to relay messages from internal users on devices outside the network to the outside, and I also need external servers to send email to internal users, so I don't see how I can restrict those settings further.

I suspected that it was either an internal pc that got infected, or a user account that got compromised and is being used from the outside. I looked through the logs and it appears that the communication is coming from the outside, so I thought the later was true, however, I can't seem to identify the user that was used to authenticate from the logs, so that I can change their passwords.

I thought I enabled all relevant logging fields and this is what I got:

2013-06-15 07:10:54 201.211.238.228 User MyServerName 192.168.0.1 EHLO - +User 250 0 304 9 2250 - - 

2013-06-15 07:10:55 201.211.238.228 User MyServerName 192.168.0.1 MAIL - +FROM:<publicitysec@bp.com> 250 0 44 31 0 - - 

2013-06-15 07:10:55 201.211.238.228 User MyServerName 192.168.0.1 RCPT - +TO:<matolinka@yahoo.com> 250 0 32 29 0 - - 

2013-06-15 07:10:56 201.211.238.228 User MyServerName 192.168.0.1 DATA - <MyServerNameQFvW0000000b@mx.mydomain.com> 250 0 122 1452 797 - - 

2013-06-15 07:10:56 201.211.238.228 User MyServerName 192.168.0.1 QUIT - User 240 5343 58 4 0 - -

The email in the from field is not an internal domain.

So, my primary question would be how to identify the culprit. A secondary question would be if I should be configuring relaying differently, so these problems wouldn't happen.

Smig
  • 199
  • 1
  • 1
  • 6
  • Their IP address 201.211.238.228 was given right there, so it's pretty clear you're inadvertently allowing open relay from outside. – Michael Hampton Jun 15 '13 at 17:10
  • 2
    @MichaelHampton - It looks to me like the OP probably has a legitimate user connecting to Exchange externally, authenticating, and relaying spam because his or her computer is infected. Based on what the OP stated I don't think it's an issue of being an open relay I think it's a case of authenticated relaying, which is what would happen if a legitimate user connected from the outside with their email client via POP/SMTP. – joeqwerty Jun 15 '13 at 18:50
  • @joeqwerty There's no evidence of a user login here. – Michael Hampton Jun 15 '13 at 19:07
  • User authentication won't show up in the SMTP log that I'm aware of or have ever seen in Exchange Server 2003. – joeqwerty Jun 15 '13 at 20:14
  • 1
    @joeqwerty Oh, in that case... that IP address is a server somewhere in Venezuela running an ancient version of PHP and phpMyAdmin. It's probably thoroughly compromised. Sorry, this still looks like an open relay situation. It's highly unlikely to be the OP's authenticated user. – Michael Hampton Jun 15 '13 at 21:55
  • @MichaelHampton Thanks for your comments. Why do you think it's highly unlikely to be authenticated relaying? Don't you think that the configurations I provided, plus the fact that no online test can relay, makes it unlikely to be an open relay? If it is an open relay despite these things, how do you think I can fix it? Thanks again. – Smig Jun 17 '13 at 09:57

0 Answers0