2

Recently I began receiving AOL spam feedback reports from our exchange server. As I investigated I found that hundreds of spam messages were being relayed through our exchange server. Although I am having trouble figuring out why.

The tracking log shows the receive and send SMTP events for each spam message originating from an ip that reverse lookups to Washington DC.

It appears that they are hitting our server between 2am-4am every other night. Hitting different domains each night as well.

The spam is an image pulled from a russian site. The sender and recipient address are the same so that the user is tricked into opening it.

I checked our receive connectors and our send connector configuration and everything seams to be configured properly. I ran an open relay check from MXtools and it passed. I used an smtp tool to attempt to relay a message and I could not, unless I authenticated. As an authenticated user I was able to relay a message from an external address to an external address.

Which leads me to believe the spammer is connecting via an authenticated user smtp session. However I have absolutely no idea how to look through Exchange logs to see what user they authenticated as, or even how they were able to relay the message through Exchange.

Can anyone shed any light on this?

Benjamin
  • 158
  • 1
  • 5
  • Your Exchange server is sending "AOL spam feedback reports"? What pray tell are "AOL spam feedback reports"? This sounds like backscatter, not relaying. – joeqwerty Jul 31 '13 at 00:04
  • You can increase your logging level on your SMTP connector and Receive connector to know for sure. What kind of spam filtering software are you using on your Exchange server to help prevent this kind of activity (spam image from .ru site)? – TheCleaner Jul 31 '13 at 00:07
  • Hey Joequerty. Sorry let me elaborate. I am receiving email abuse reports from scomp@aol.com. When an AOL user marks a message as spam (complaint), we receive a notice. Lately I have been seeing dozens of abuse repors.http://postmaster.aol.com/Postmaster.FeedbackLoop.php – Benjamin Jul 31 '13 at 04:25
  • TheCleaner. Yes, I have enabled verbose logging on both send and receive connectors. I believe the spammer may use our servers again tonight, so hopefully their will be some evidence tomorrow! – Benjamin Jul 31 '13 at 04:26

1 Answers1

2

You should have 2 or 3 receive connectors. One should have no authentication options checked and operate on port 25 and be bound to your external ip address for receiving incoming mail. The second one should be bound to an internal only ip address on port 25 and/or 587 with authentication required and restricted to whitelisted internal ip's or ip ranges for use by internal devices and services like scanners and monitoring software. The third is optional and runs on port 587, requires authentication and TLS and is bound to an external ip for use by your employees outside your perimeter.

Now, since the first receive connector only allows anonymous connections it will automatically prohibit relaying. This will solve your problem, especially if you don't enable the third connector I mentioned.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • Yes, we have 4 receive connectors [Default]: Port 25 bound to external internet facing ip address. Checked: TLS, TLS Basic Auth, Exchange server auth, Integrated windows auth; Permission Groups: Anonymous, Exchange users, Exchange servers, Legacy Exchange Servers. [Client]: port 587 bound to external internet facing ip address, TLS, TLS Basic Auth, Integrated Windows authentication, Permission Groups: Exchange Users. And 2 device specific internal ip relays. Is it a problem that we auth on port 25 as well? – Benjamin Jul 31 '13 at 04:34
  • Yes, that's part of your problem. If your servers are relaying messages using compromised credentials then you can stop that from happening by unchecking everything except TLS and Anonymous. This will allow the connector to e used ONLY for delivering email into your organization. – longneck Jul 31 '13 at 12:48
  • Also, you have compromised credentials. It's probably a good idea to expire everyone's passwords. – longneck Jul 31 '13 at 12:49
  • Ok. So I enabled SMTP logging yesterday and this morning the log was full of entries from the spammer. I see that they connect with EHLO infoservizi.it, then STARTTLS, then AUTH LOGIN. However the log does not save the base64 respsonse. So clearly the attacker is using AUTHENTICATED RELAY. Is there any way in Exchange 2010 to find out which user they authenticated with? Also, Longneck, if I disable the other permission groups will that prevent my users from sending email normally? – Benjamin Jul 31 '13 at 16:47
  • SO another thing I noticed, after the attacker authenticates the server responds with the permissions for the account. SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SMTPSendXShadow SMTPAcceptXShadow. I noticed they were the same permissions for ExchangeLegacyServers group. I disabled that group. – Benjamin Jul 31 '13 at 17:03
  • check the windows security log. there might be an event in there that corresponds. you might need to enable success auditing to get those events. – longneck Jul 31 '13 at 17:25
  • and no, this should not affect your user's abilities to send mail, unless you're doing something strange. – longneck Jul 31 '13 at 17:27
  • I tracked through the Windows security log and matched up the timestamps and I believe I have found the offending user! Thanks for your help. – Benjamin Jul 31 '13 at 20:34