locked
Spamming problem - sending user shown from outside AD domain ?? RRS feed

  • Question

  • Hi.

    I am no Exchange expert but have a few small businesses that I maintain. This client has Windows Exchange 2003 installed on Windows 2003 R2 and about 18 users.

    Recently they got warning from the company that does their spam/virus filtering that their Exchange server sends their email too.

    I checked the message and then message tracking log for Exchange 2003. On 09/18 from 12:24 AM to 1:32 AM the server sent out a couple hundred emails from email address boysaw@earthlink.net to several dozen  users @yahoo.com with email subject of legal proposal.

    How is it possible that their Exchange server is sending out email from somone outside of their email domain -- xyz.com ??

    I normally would assume that a domain computer would have a malware infection but strange that it would happen at very late hours though some users remote into their desktops with Logmein and I am going to have all of them change their Logmein passwords and Windows passwords. Then again most of them have smart phones also using the Exchange 2003.

    Anyhow anyone have any tips on how to track through the Exchange server/domain controller back to possibly the PC or user that originated these emails from boysaw@earthlink.com ?? Could this have happened on the Exchange server itself?? I am going to have them change the domain administrator password also and verify membership in the administrators/domain admins/enterprise admins groups.

    Is there a way to block outbound email from the Exchange server from anyone that is not an AD user with their AD domain email address??  I did block email sent from boysaw@earthlink.com

    I used MXtoolbox diagnostics and their Exchange 2003 server is NOT a relay.

    In early October they are moving to Dell branded Microsoft Office 365.

    Thanks for any tips!!






    Thursday, September 19, 2013 12:46 AM

Answers

  • Check the SMTP protocol logs. Just because Exchange sent the message doesn't mean it isn't being used as a SMTP relay. Maybe you don't restrict the use of the SMTP virtual server(s)?

    If you have one of the message, check the headers. Did the message originate from within the organization, or were they just relayed?

    Do they allow authenticated SMTP sessions? Do they have strong passwords on common accounts (administrator, IUSR_<servername>, etc.)? Is the "Guest" user enabled?


    --- Rich Matheisen MCSE&I, Exchange MVP

    Thursday, September 19, 2013 1:32 AM

All replies

  • Check the SMTP protocol logs. Just because Exchange sent the message doesn't mean it isn't being used as a SMTP relay. Maybe you don't restrict the use of the SMTP virtual server(s)?

    If you have one of the message, check the headers. Did the message originate from within the organization, or were they just relayed?

    Do they allow authenticated SMTP sessions? Do they have strong passwords on common accounts (administrator, IUSR_<servername>, etc.)? Is the "Guest" user enabled?


    --- Rich Matheisen MCSE&I, Exchange MVP

    Thursday, September 19, 2013 1:32 AM
  • Hi,

    Is there any update on this thread?

    Thanks,

    If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Friday, September 20, 2013 5:58 AM
    Moderator
  • Please update On Rich Comments and Most importantly can you telnet your Hub/cas URL on port 25 and check if you can do EHELO

    Try to Mimic your Identity and see if you have configured your Exchange server for Open relay inside your organisation .

    boysaw@earthlink.com  is just one of them which someone has tried to Mimic you can send it from any name CEO@yourcompany.com etc .

    Check the SMTP logs immedieatly to rule out the possibility .

    Pleae update and let me know if any help is required !!!


    Anand Shankar


    • Edited by Anand - Friday, September 20, 2013 8:00 AM
    Friday, September 20, 2013 7:59 AM
  • Thanks for replies!

    I have not been back out to client yet and problem has not happened again yet though I did add boysaw.earthlink.net to the deny send and receive list.

    I did not have a copy of any of the messages to check and have since enabled SMTP logging to get further clues if problem returns.

    The relay restrictions were set to deny all except and the IP list included Exchange server IP, 127.0.0.1, and IPs for two Postini SMTP servers that they use for SPAM filtering. I did remove all those entries from the "except" list. The allow all computers than can authenticate was checked also.

    I used telnet and MXtoolbox diagnostics and both showed Exchange server not to be open relay.



    Sunday, September 22, 2013 2:28 PM
  • Let us know when you have the issue as Logging is very import to resolve the issue !!!

    Anand Shankar

    Monday, September 23, 2013 5:02 AM
  • With SMTP logging enabled and/or other logging is there a way to tell what domain computer or primary user email address that sent out spam email using a non domain email address through their Exchange server?? Could such spam originate from a users home computer using OWA to access their Exchange email??

    Ugh. Client got hit with bad spam attack again last night that lasted exactly from 11:20 AM to 2:58 AM. I had just been there day before and scanned all office PCs for malware with TDSSkiller and Malwarebytes. Two computers had some infections that I removed, rebooted, and scanned again. Newer Windows 7 Pro PCs with Symantec EP 12.1 for virsus protection. I changed server administrator password this morning and rebooted and also made sure nothing unusual in administrators groups.

    Pulling my hair out on this one now. Client has Logmein installed on most PCs that has me wondering. I am advising them now that ALL user passwords must be changed/unique.complex and not shared and same for Logmein passwords.

    This client fairly recently dumped remote IP support for Exchange server/domain controller and network and also let their spam filtering service (where their email is sent to and then forwared to their Exchange server) they will be not using them shortly. I did disable account used by old remote support company on the server.

    Here is part of SMTP log if anyone can help me with anything seen. How can I tell if it was sent out from the network the Exchange server and domain computers are on or being relayed from another outside the network PC/user some how. I am pretty sure Exchange server is not an open relay but this has me wondering. Maybe someone hacked on of the Logmein accounts late last night and did this from a domain PC?? Again if that is a possibility any way to track back which PC/primary email address sent this out. 

    hstratton@colliersws.com was the sending email for all the spam. This is the .eml email message from que log but I could not find any header info.

    "Greetings..

    There is a legal way to transfer ownership of US$ 21,400,000.00 to you. This fund originally belongs to a client who had no blood relation in his account-opening package. Contact E-mail: 2048205826@qq.com

    Ho Chen Tung. "

    013-09-28 04:59:59 65.55.92.168 OutboundConnectionResponse SMTPSVC1 MKAEXCH - 25 - - 250-SNT0-MC3-F18.Snt0.hotmail.com+(3.19.0.77)+Hello+[12.216.155.58] 0 67 0 SMTP - -
    2013-09-28 04:59:59 65.55.92.168 OutboundConnectionCommand SMTPSVC1 MKAEXCH - 25 MAIL - FROM:<gsalvadore@hotmail.com> 250 35 32 SMTP - -
    2013-09-28 04:59:59 65.55.92.168 OutboundConnectionResponse SMTPSVC1 MKAEXCH - 25 - - 250-SNT0-MC3-F28.Snt0.hotmail.com+(3.19.0.77)+Hello+[12.216.155.58] 0 67 0 SMTP - -
    2013-09-28 04:59:59 65.55.92.168 OutboundConnectionCommand SMTPSVC1 MKAEXCH - 25 MAIL - FROM:<gsantos@wwusa.com> 250 30 27 SMTP - -
    2013-09-28 04:59:59 220.181.90.36 OutboundConnectionResponse SMTPSVC1 MKAEXCH - 25 - - 250-sohumx71_81.sohu.com 0 24 0 SMTP - -
    2013-09-28 04:59:59 220.181.90.36 OutboundConnectionCommand SMTPSVC1 MKAEXCH - 25 MAIL - FROM:<+SIZE=925">hstratton@colliersws.com>+SIZE=925 0 4 0 SMTP - -
    2013-09-28 04:59:59 65.54.188.72 OutboundConnectionResponse SMTPSVC1 MKAEXCH - 25 - -

    220+BAY0-MC1-F16.Bay0.hotmail.com+Sending+unsolicited+commercial+or+bulk+e-mail+to+Microsoft's+computer+network+is+prohibited.+Other+restrictions+are+found+at+http://privacy.microsoft.com/en-us/ant

    i-spam.mspx.+Fri,+27+Sep+2013+22:03:01+-0700+ 0 242 0 SMTP - -
    2013-09-28 04:59:59 65.54.188.72 OutboundConnectionCommand SMTPSVC1 MKAEXCH - 25 EHLO - mail.clientdomain.com.com 0 4 0 SMTP - -
    2013-09-28 04:59:59 65.54.188.72 OutboundConnectionResponse SMTPSVC1 MKAEXCH - 25 - -

    421+RP-001+(BAY0-MC1-F23)+Unfortunately,+some+messages+from+12.216.155.58+weren't+sent.+Please+try+again.+We+have+limits+for+how+many+messages+can+be+sent+per+hour+and+per+day.+You+can+also+refer+t

    o+http://mail.live.com/mail/troubleshooting.aspx#errors. 0 253 0 SMTP - -
    2013-09-28 04:59:59 109.206.161.236 [10.186.48.236] SMTPSVC1 MKAEXCH 192.168.0.254 0 RCPT - +TO:<gsansbury@yahoo.com> 250 32 29 SMTP - -
    2013-09-28 04:59:59 207.115.11.16 OutboundConnectionResponse SMTPSVC1 MKAEXCH - 25 - - 550+[SUSPEND]+Mailbox+currently+suspended+-+Please+contact+correspondent+directly 0 81 0 SMTP - -
    2013-09-28 04:59:59 207.115.11.16 OutboundConnectionCommand SMTPSVC1 MKAEXCH - 25 RSET - - 0 4 0 SMTP - -

    Thanks,




    Saturday, September 28, 2013 2:45 PM
  • If you have the SPAM mail available then in Outlook 2010 Client there is an Option under properties of the header where it reads Originating IP .

    That is one way you can determine where the email originated from .


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Anand Shankar

    Saturday, September 28, 2013 5:05 PM
  • Thanks!!

    I used Outlook 2007 and found the header. Again I am not Exchange expert but this looks this may be relaying from the outside through the Exchange server to me OR could that be via an infected/compromised domain computer?. However I need some guidance on how to prevent that relaying if that is what is going on. Relay settings for Exchange server are shown lower below.

    Received: from [10.186.48.236] ([109.206.161.236]) by mail.clientdomain.com with Microsoft SMTPSVC(6.0.3790.4675);
     Fri, 27 Sep 2013 23:41:47 -0500
    Content-Type: text/plain; charset="iso-8859-1"
    MIME-Version: 1.0
    Content-Transfer-Encoding: quoted-printable
    Content-Description: Mail message body
    Subject: Legal Business Proposal
    To: Recipients <hstratton@colliersws.com>
    From: "Ho Chen Tung" <hstratton@colliersws.com>
    Date: Sat, 28 Sep 2013 05:44:26 +0100
    Reply-To: 2048205826@qq.com
    Return-Path: hstratton@colliersws.com
    Message-ID: <MKAEXCHEbjkyqU7a0xt0000071d@mail.korshak.com>
    X-OriginalArrivalTime: 28 Sep 2013 04:41:48.0406 (UTC) FILETIME=[0AE68160:01CEBC05] 

    Exchange server realy settings:

    Relay settings in default smtp virtual server settings under access.

    Authentication:

    Anonymous: yes
    Basic: yes
    Integrated: yes

    Relay:
    Only the list below is checked with NO entries in the list.
    Allow computers which successfully authenticate to relay IS checked.






    Saturday, September 28, 2013 5:50 PM
  • If that's the only "Received:" header in the message then there's no relay involved at all -- the message was sent directly from an e-mail client to the receiving server.

    The IP address 109.206.161.236 has this IP name in it PTR record:

    236.161.206.109.in-addr.arpa    name = 236.161.serverel.net

    A "normal" message, sent through a SMTP server, would show at least two "Received:" headers.

    So it looks to me as if this is just a normal bit of spam. However, if the IP address belongs to your client they have a problem. First, they shouldn't be allowing connections form their LAN to the Internet on port 25 from anywhere except the Exchange server. Second, there's probably at least one infected machine on their LAN.

    If the IP address doesn't belong to them then they should publish SPF/SenderID data in their external DNS so other MTAs can detect the domain "spoofing".

    If they already publish SPF/SenderID data in their DNS you should configure your server to use that information and let it deal with the spoofing as you see fit.

    FWIW, this has little to do with Exchange. It's a "general knowledge" thing w/r/t SMTP and Internet e-mail.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, September 28, 2013 9:19 PM
  • Thanks for the info.

    The header also shows a private IP address of 10.186.48.236 that is not the same as the LAN IP??

    The IP address does not belong to the client and the firewall is set to block all SMTP port 25/26/465/587 traffic out from any IP but the Exchange server.

    Client does have SPF record on their external DNS servers for their domain.

    I will have to do more in depth malware scanning scanning when I get back out there. Any particualr tools you recommend?? Probably will start with Kasperky virus removal tool and Combofix and run Malwarebytes again. All users passwords will also be changed and not shared. Small businesses do not seem to take that seriously however.

    Puzzles me that both spam attacks from server happened between  late night/very early morning. No one was in office.

    Thanks again.



    Saturday, September 28, 2013 11:31 PM
  • There's only one "Received:" header. Unless you have software that removed any others from the message header the message was handled by only one SMTP server -- yours.

    The data in a "Received:" header consists of an name/value pair, a semicolon, and a date/time. The "[10.186.48.236]" is the name presented by the sender in the HELO/EHLO command. The "([109.206.161.236])" is the IP address of the connecting party.

    So far it looks like a common "spoof". Are you sure that YOUR system is handling connection and content filtering the way you want it to? I didn't see any headers in the message that would indicate a SPF/SenderID check was made, or any SCL value header.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Sunday, September 29, 2013 3:03 AM