SpamCop Discussion > Need some assistance

Telarin

Oct 21 2008, 09:47 AM

So I came in yesterday to a mail server spewing thousands of phishing emails out to the internet. After disabling email and spending several hours cleaning out clogged mail queues I brought the server back online and began trying to figure out how it happened.

Standard relay tests against my mail server (24.149.202.2) show that it will not relay, which is as it should be, so I am left wondering how someone got these messages into the queues in the first place. The only thing I can come up with is that they somehow compromised a user account that had relay permission. I have temporarily disabled relay permission on all user account for the time being until I figure out what went wrong.

The server is Exchange 2003 all current patches and service packs installed, IP address given above. Feel free to do any non-destructive testing against it you like. Maybe someone can come up with something that I missed.

Log entries show standard submissions:

CODE

2008-10-19      9:36:13 GMT     213.221.211.234 User    -       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1019    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      9:36:13 GMT     213.221.211.234 User    -       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1025    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      9:36:14 GMT     213.221.211.234 User    -       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1024    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      9:36:14 GMT     213.221.211.234 User    -       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1033    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      9:36:14 GMT     213.221.211.234 User    -       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1034    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      9:36:14 GMT     213.221.211.234 User    -       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1020    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      9:36:14 GMT     213.221.211.234 User    mta441.mail.re4.yahoo.com       GIASERVER       192.168.1.3     jwonline005[at]yahoo.com   1031    GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com        3       0       435     1       2008-10-19 9:36:9 GMT   0       Version: 6.0.3790.211   -        whats up chase?        support[at]quickloansdirect.org    -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     annfar[at]naxs.net 1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     annerdog[at]gateway.net    1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     annblackledge[at]peoplepc.com      1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     ankletj[at]netscape.net    1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     anklets[at]netscape.net    1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     anicemit[at]academicplanet.com     1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -
2008-10-19      11:54:33 GMT    209.113.246.98  User    -       GIASERVER       192.168.1.3     angrydragon[at]ala.nu      1019    GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com        3       0       4431    50      2008-10-19 11:54:25 GMT 0       Version: 6.0.3790.211   -        New Message from Chase Online(SM)      smrfs[at]chaseonline.chasejpmorgan.com     -

The first few entries appear to have been a test probe, and then a couple hours later, the submission of spew began...

The message IDs are not the standard format for emails submitted through Exchanges submission protocol from Outlook. Those ID should be of the format "[MessageID]@giaserver.AGENA.local"

Thoughts or comments?

Farelf

Oct 21 2008, 06:22 PM

Hi Will,

FWIW the only change I see to your DNS records and service scan (DomainDossier) since your little problem with SORBS is in your rDNS (added 24.149.202.2.biz.sta.comcastbusiness.net to existing giaserver.gia-tx.com) - can't see what that has to do with anything but it is unusual, and a change.

The other unusual thing is your SMTP response to VRFY and EXPN requests (and to unknown addresses) which is pretty nifty and certainly wouldn't cause any problems (no doubt prevent a few, which is the 'why', I guess, I didn't know you could just hold the transaction until timeout).

The 'foreign' message ID with your exchange server in the string is undoubtedly significant but IANAT, to coin an acronym.

Farelf

Oct 22 2008, 12:48 AM

BTW "Exchange 2003 all current patches and service packs installed" brings a wry smile to my dial. That was the description of our server when it was happily relaying spam, almost getting us thrown off the internet in consequence. Turned out either it had never been secured against basic SMTP AUTH hacking (a process, changing the lousy defaults, not a patch as such IIUC - http://support.microsoft.com/kb/823019) or there were some non-Exchange specific patches that had not been applied. Or both. I forget the detail. Anyway, our tech guy, once he saw the thing was actually relaying when it "couldn't" had it fixed real quick. Just had to get over the "that's impossible" reaction first. The wonder of it all was how come it hadn't been hacked before it finally was. Nothing so simple in your case, I'm sure.

Farelf

Jan 26 2009, 11:02 PM

http://www.robtex.com/ip/24.149.202.2.html shows (of course) not on any blocklists so you evidently got it fixed. Anything to share that might benefit others?