none
Exchange 2013 used to send spam

    Question

  • Hi all,

    I have an exchange 2013 which looks to be used to send spam, I can see the queue growing up with emails from other domains. Here is my setups for content filtering:

    Name                                  : ContentFilterConfig
    RejectionResponse                     : Message rejected as spam by Content Filtering.
    OutlookEmailPostmarkValidationEnabled : True
    BypassedRecipients                    : {}
    QuarantineMailbox                     :
    SCLRejectThreshold                    : 7
    SCLRejectEnabled                      : True
    SCLDeleteThreshold                    : 9
    SCLDeleteEnabled                      : False
    SCLQuarantineThreshold                : 9
    SCLQuarantineEnabled                  : False
    BypassedSenders                       : {}
    BypassedSenderDomains                 : {}
    Enabled                               : False
    ExternalMailEnabled                   : True
    InternalMailEnabled                   : False
    AdminDisplayName                      :
    ExchangeVersion                       : 0.1 (8.0.535.0)
    DistinguishedName                     : CN=ContentFilterConfig,CN=Message Hygiene,CN=Transport
                                            Settings,CN=AX-Properties 01,CN=Microsoft
                                            Exchange,CN=Services,CN=Configuration,DC=**,DC=local
    Identity                              : ContentFilterConfig

    ObjectCategory                        : **/Configuration/Schema/ms-Exch-Message-Hygiene-Content-Filter
                                            -Config
    ObjectClass                           : {top, msExchAgent, msExchMessageHygieneContentFilterConfig}
    WhenChanged                           : 25.05.2016 09:54:48
    WhenCreated                           : 06.01.2015 14:43:56
    WhenChangedUTC                        : 25.05.2016 07:54:48
    WhenCreatedUTC                        : 06.01.2015 13:43:56
    OrganizationId                        :
    OriginatingServer                     : **myserver**
    IsValid                               : True
    ObjectState                           : Unchanged

    How can I tell my exchange to only send emails from my domain? Or maybe is there a way to know if someone still some credentials? I mean a way to see which user/credentials are used to send those spam.

    With wireshark I can see packets RCPT to: xxx@xxx.com but my exchange is not an open relay..

    Thanks.

    J.

    Friday, May 27, 2016 8:56 AM

Answers

  • It sounds like the permissions on your receive connector might be hosed up.  There is a permission that allows to submit messages to any recipient.  The anonymous users group might have been granted this permission by accident. 

    You can view the permissions on the receive connector by using ADSIEdit.  Check the permissions and make sure the anonymous users group doesn't have this permission.   Just go to the security tab to view the permissions.

    You can view the receive connectors by connecting to the configuration naming context in ADSI Edit, then the receive connector objects can be found in Configuration -> Services -> Microsoft Exchange -> Your Organization Name -> Administrative Groups -> Exchange Administrative Group (FYDIBOHF23SPDLT) -> Servers -> Server Name -> Protocols -> SMTP Receive Connectors.

    • Marked as answer by Jerome Lags Friday, May 27, 2016 2:40 PM
    Friday, May 27, 2016 2:02 PM

All replies

  • What do you these emails look like?

    What does SMTP protocol and message tracking show?


    Blog:    Twitter:   

    Friday, May 27, 2016 12:26 PM
  • Spam emails, somes in Russian, somes with the famous subject "Your account is temporary disabled".

    What do you mean by "What does SMTP protocol and message tracking show?", I can easily see the smtp traffic coming from external IP and sending via exchange.

    Friday, May 27, 2016 12:50 PM
  • You might have an user account that has been compromised.  Do the emails in the queue have your domain as the sender? Enable verbose logging on your receive connectors and check the logs to see if an account is being authenticated when these emails are being sent.
    Friday, May 27, 2016 1:07 PM
  • I changed all the password for all users. And no, it is not using my domain to send.

    But I think I finally have an option somewhere which allow relaying. Because I can send fake email (without any auth.) via CMD telnet and I see them coming to the queue. How can I disable relaying? 



    Friday, May 27, 2016 1:21 PM
  • I have another 2013 exch and when I try to rcpt, it says "unable to relay", this it what I want to have on the spamming exchange, I check all my receive connectors, they are the same.
    Friday, May 27, 2016 1:33 PM
  • Spam emails, somes in Russian, somes with the famous subject "Your account is temporary disabled".

    What do you mean by "What does SMTP protocol and message tracking show?", I can easily see the smtp traffic coming from external IP and sending via exchange.

    Enable SMTP Protocol logging/

    https://technet.microsoft.com/en-us/library/aa997624(v=exchg.150).aspx

    Do you see the messages in message tracking?

    IN other words, use the tools I mentioned to get an idea on where these are coming from - what client IP

    Please post an example


    Blog:    Twitter:   

    Friday, May 27, 2016 1:52 PM
  • It sounds like the permissions on your receive connector might be hosed up.  There is a permission that allows to submit messages to any recipient.  The anonymous users group might have been granted this permission by accident. 

    You can view the permissions on the receive connector by using ADSIEdit.  Check the permissions and make sure the anonymous users group doesn't have this permission.   Just go to the security tab to view the permissions.

    You can view the receive connectors by connecting to the configuration naming context in ADSI Edit, then the receive connector objects can be found in Configuration -> Services -> Microsoft Exchange -> Your Organization Name -> Administrative Groups -> Exchange Administrative Group (FYDIBOHF23SPDLT) -> Servers -> Server Name -> Protocols -> SMTP Receive Connectors.

    • Marked as answer by Jerome Lags Friday, May 27, 2016 2:40 PM
    Friday, May 27, 2016 2:02 PM
  • #Software: Microsoft Exchange Server
    #Version: 15.0.0.0
    #Log-type: SMTP Receive Protocol Log
    #Date: 2016-05-27T13:32:29.073Z
    #Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
    2016-05-27T13:32:02.520Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5CE,502,192.168.1.20:25,59.111.73.134:60968,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.536Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5C3,603,192.168.1.20:25,59.111.73.134:60367,<,RCPT TO: <1179152663@qq.com>,
    2016-05-27T13:32:02.536Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5C3,604,192.168.1.20:25,59.111.73.134:60367,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.567Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D4,633,192.168.1.20:25,106.2.78.149:38019,<,RSET,
    2016-05-27T13:32:02.567Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D4,634,192.168.1.20:25,106.2.78.149:38019,>,250 2.0.0 Resetting,
    2016-05-27T13:32:02.586Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5E7,459,192.168.1.20:25,106.2.75.26:34724,<,RCPT TO: <1325318216@qq.com>,
    2016-05-27T13:32:02.586Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5E7,460,192.168.1.20:25,106.2.75.26:34724,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.708Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D6,535,192.168.1.20:25,223.252.223.32:38259,<,RCPT TO: <1078446211@qq.com>,
    2016-05-27T13:32:02.708Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D6,536,192.168.1.20:25,223.252.223.32:38259,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.895Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5AB,885,192.168.1.20:25,106.2.76.199:49883,<,RCPT TO: <1533817479@qq.com>,
    2016-05-27T13:32:02.895Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5AB,886,192.168.1.20:25,106.2.76.199:49883,>,250 2.1.5 Recipient OK,
    • Proposed as answer by Andy DavidMVP Friday, May 27, 2016 2:09 PM
    • Unproposed as answer by Andy DavidMVP Friday, May 27, 2016 2:09 PM
    Friday, May 27, 2016 2:05 PM
  • #Software: Microsoft Exchange Server
    #Version: 15.0.0.0
    #Log-type: SMTP Receive Protocol Log
    #Date: 2016-05-27T13:32:29.073Z
    #Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context
    2016-05-27T13:32:02.520Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5CE,502,192.168.1.20:25,59.111.73.134:60968,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.536Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5C3,603,192.168.1.20:25,59.111.73.134:60367,<,RCPT TO: <1179152663@qq.com>,
    2016-05-27T13:32:02.536Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5C3,604,192.168.1.20:25,59.111.73.134:60367,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.567Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D4,633,192.168.1.20:25,106.2.78.149:38019,<,RSET,
    2016-05-27T13:32:02.567Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D4,634,192.168.1.20:25,106.2.78.149:38019,>,250 2.0.0 Resetting,
    2016-05-27T13:32:02.586Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5E7,459,192.168.1.20:25,106.2.75.26:34724,<,RCPT TO: <1325318216@qq.com>,
    2016-05-27T13:32:02.586Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5E7,460,192.168.1.20:25,106.2.75.26:34724,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.708Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D6,535,192.168.1.20:25,223.252.223.32:38259,<,RCPT TO: <1078446211@qq.com>,
    2016-05-27T13:32:02.708Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5D6,536,192.168.1.20:25,223.252.223.32:38259,>,250 2.1.5 Recipient OK,
    2016-05-27T13:32:02.895Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5AB,885,192.168.1.20:25,106.2.76.199:49883,<,RCPT TO: <1533817479@qq.com>,
    2016-05-27T13:32:02.895Z,SERVER-SV01\Default Frontend SERVER-SV01,08D38624AB79F5AB,886,192.168.1.20:25,106.2.76.199:49883,>,250 2.1.5 Recipient OK,

    Is Exchange directly accessible from the internet?


    Blog:    Twitter:   

    Friday, May 27, 2016 2:09 PM
  • It sounds like the permissions on your receive connector might be hosed up.  There is a permission that allows to submit messages to any recipient.  The anonymous users group might have been granted this permission by accident. 

    You can view the permissions on the receive connector by using ADSIEdit.  Check the permissions and make sure the anonymous users group doesn't have this permission.   Just go to the security tab to view the permissions.

    You can view the receive connectors by connecting to the configuration naming context in ADSI Edit, then the receive connector objects can be found in Configuration -> Services -> Microsoft Exchange -> Your Organization Name -> Administrative Groups -> Exchange Administrative Group (FYDIBOHF23SPDLT) -> Servers -> Server Name -> Protocols -> SMTP Receive Connectors.

    It looks like there where a right still enabled even if I disabled it on EAC.. I changed security settings with ADSIEdit and now my server replies "unable to relay" as expected ! 

    Thanks a lot to everyone ! Really appreciate.

    Friday, May 27, 2016 2:41 PM