0

I'm running Server 2003. Exchange 2007.

I've got something on the system sending out tons of spam, and now mostly blocked from the outside world. (We can receive, but not send because we're on spamlists.)

This is a server I have zero experience with, with no maintenance records or anyone to ask for help. I'm going in blind.

Before I go into details, the absolute key here is:

  • Exchange is sending out spam using our domain name, but randomly generated user names.

From what I understand, the possible vectors for spam are:

  • Server itself with a virus.

  • Infected network computer.

  • External computer abusing NDR (backscatter), or an Open Relay.

The server issues:

  • There WAS a horrific password policy. I won't say what it is, but almost all of the accounts use one of the worst passwords imaginable, and others use one good password but many share it.

  • There was a Zero Access rootkit detected by Anti-Malware bytes. I also ran TDSSkiller afterward, and detects no instances anymore. However, it's possible that it's still in an alternate filestream. But that's a separate issue.

  • Many windows updates/security updates are failing to install.

  • It's running RRAS with no firewall on a DMZ of a router. I can't enable it yet until I get a list of services that should be running.

The spam issues:

  • Exchange was throwing out backscatter/NDR spam and I fixed that with some transport rules. I have "if e-mail is FROM outside and TO outside, silently drop it." as well as "if e-mail is TO outside and subject contains 'Undeliverable:', silently drop".

  • I tried following various guides to "disable open relay" but many of them say to remove "accept-all-recipients" permission for NT AUTHORITY\Anonymous account across all connectors. HOWEVER, this causes all incoming mail to fail. Is this normal? It seems like this should only disable using wildcard/randomly-generated usernames.

  • A specific user was compromised and sending spam. I disabled his mailbox. Those don't show up anymore. (Let's call him Dave@domain.com)

  • What remains are tons of random users that DO NOT exist on the Active Directory. (lol@domain.com, lob@domain.com, loa@domain.com... hundreds a minute)

  • I have turned on net logon logging. (Dave@domain.com is spamming to get in and failing. There ARE a couple other users trying to log in but it's not obvious if they're compromised or just normal activity.)

So what I need to do is:

  • Find out: What is the proper way to ensure you're not an open relay, while still allowing incoming mail?

  • Find out if I can restrict sending e-mails ONLY from valid AD user addresses (and/or hardcoded ones for other custom services/programs we run.)

  • Even further, restrict only sending e-mail from your AD name (that is, chris@domain.com cannot send from philip@domain.com.)

  • Find out how to track down what is telling Exchange to send these e-mails. Is there a way to track down who is sending them?

For example, in the Message Queue (which has ~180,000 messages waiting due to other people spam blocking us for only two days of saved e-mails) shows this e-mail:

Identity: myservername\368722\5834167

Subject: Current Open Position

Internet Message ID: <0CDA6CACCF886A682B2C6E3DDAB080C1@xizyrafo>

From Address: hug@domain.com

Status: Ready

Size (KB): 2

Message Source Name: SMTP:Client SERVERNAME

Source IP: 204.248.123.228

SCL: 0

Date Received: 1/23/2016 2:57:20 PM

Expiration Time: 1/25/2016 2:57:20 PM

Last Error:

Queue ID: servername\368722

Recipients: ruizky31@yahoo.com

Is there a way to use this information to track down where it's coming from / who is causing it to be sent?

I've tried to figure out what Source IP means (whether it's the send-to IP or the IP of the request sender) but nothing I've read actually explains it.

Katastic Voyage
  • 111
  • 3
  • Go to http://mxtoolbox.com/ and put in your domain name and then run the tests to see what issues show up. If you have open relays, get those plugged and then start tracking down where the emails were generated from, get any malicious software off those machines. I'd setup SPF records as well to tell those that check, email from YOUR domain(s) can only come from these PUBLIC IP addresses to assist with the issue of other external IP addresses faking your domain causing the issue. Once you get cleaned up,you have to reach out to the blocklists to get your domain(s) off those.You have work to do – Pimp Juice IT Jan 23 '16 at 22:33
  • You can go to Arin.net to check public IP address registered owner, etc. information too. – Pimp Juice IT Jan 23 '16 at 22:34

1 Answers1

1

Don't waste your time trying to find the source. It will be another victim. The spammer will have a network of compromised machines they are using. The first thing you should do is apply a password policy and force everyone to change their passwords. Make sure that you change the administrator password as well, as that is the most abused account.

Next, on the Receive Connectors, ensure that externally secured is NOT enabled. If it is, that makes you an open relay. NDR spam can be dealt with by installing the anti-spam filters, then enabling recipient filtering.

After making any of the above changes, restart MS Exchange Transport and run IISRESET.

I would do some telnet tests to confirm if the machine is still an open relay.

However the next thing you need to do is build a replacement machine. This machine has been compromised, and even with the tools you have found it cannot be trusted. Build a new machine, use Exchange 2007 SP3 media to install it and then patch it. The fact that you cannot install updates on the machine would suggest it is pretty broken. Move the contents off the old machine and then remove Exchange and wipe it. If you don't have a spare machine, use a high powered workstation as a holding machine so you can rebuild the original.

A lot of the blacklists will drop you from their lists once the spam is no longer seen. As an interim measure you can send via your ISPs SMTP server as a smart host. Before you start using that though you need to clean up the server, otherwise your ISP could kick you off their service.

Sembee
  • 2,884
  • 1
  • 8
  • 11