Jump to content
Sign in to follow this  
jkee

Can't seem to find problem

Recommended Posts

We have an Exchange server (ip 208.9.211.11) that continues to get picked up by spamcop and other black lists and I cannot seem to find the problem. Below is a recent example of mail sent to another spamtrap. Any help is greatly appreciated.

From polynomialplotters[at]excite.com Sat Oct 23 16:09:13 2004

Delivery-date: Sat, 23 Oct 2004 16:09:13 -0400

Received: from [208.9.211.11] (helo=mail3.wsolutions.net)

by mail.victim.example with esmtp (Exim 4.41)

id 1CLSCP-0006dM-Qw

for psbltrap[at]kernelnewbies.nl; Sat, 23 Oct 2004 16:09:13 -0400

Received: from sashay ([200.140.36.124]) by mail3.wsolutions.net with Microsoft SMTPSVC(5.0.2195.6713);

Sat, 23 Oct 2004 15:09:15 -0500

From: "Teresita Julian"<polynomialplotters[at]excite.com>

To: psbltrap[at]kernelnewbies.nl

Subject: VA1ll|UM, C|AI|I1S, Vl|AGRA. . .

Mime-Version: 1.0

Date: 23 Oct 2004 15:09:18 -0500

http://[MUNGED]

http://[MUNGED]

http://[MUNGED]

Cl|CK HERE KN0W MORE http://[MUNGED]/as#polis

Thanks

Share this post


Link to post
Share on other sites

This is obviously a silly question ... have you yet taken a look at the FAQ here? There are numerous links to Exchange server issues, sources for what to look for and how to fix/patch/work-around most of them .... and that this same "issue" came up a half-dozen times just last week, resulting in several existing Topics / discussions from other Exchange server folks, most resulting in problems found/repaired ... have you looked at these other "unblock me ..." Topics"

Share this post


Link to post
Share on other sites

To add to what Wazoo said, look for SMTP Auth Hack.

The spammers are validating themselves on your server.

Share this post


Link to post
Share on other sites

You have an account "info" with the password the same as the username. This is probably what the spammers are using to authenticate and use your server as a relay.

If you do not require remote users to be able to relay through your server, you should disable the SMTP AUTH option. Instructions for doing this can be found by following the links in the FAQ.

Share this post


Link to post
Share on other sites

Thanks for all of your help. Yes, I did scour the FAQ prior to posting as we've been at this for a week or so. After doing everything I could find in terms of locking down the server, my worst fear was that they were authenticating, but before I started making all of the users change their password, this was my last resort. Your help is greatly appreciated. I have gone ahead and changed the info user's password, is there a way that I can check this as you do? Thanks again for all of your help, hopefully this does it..

Share this post


Link to post
Share on other sites
s there a way that I can check this as you do?

If you have a machine with perl installed on it, drop me a PM with an email address I can use to contact you.

Share this post


Link to post
Share on other sites

does Perl need to be on the exchange server itself or can it be on a seperate server?

Share this post


Link to post
Share on other sites

You spent a week on this already, allegedly scoured all info here for help, yet only took care of one account that was pointed out with a "default" password ... and now you want to toss another "programing language" on something, but not even sure where to put it so it could run a routine offered up by some anonymous poster here (yes, this person is actually trustworthy, but .....)

As suggested before, someone "there" needs to start from scratch on that server. That you were contemplating re-validating all your users was a fine first-step. I can't yet figure out why that still hasn't been done. One "role" account has had a password changed. Is anyone there knowledgable enough to go through the logs and see if any of the other accounts has in fact been compromised? The possibility that other "user" accounts have also been added (with root powers) just can't be overlooked at this point.

Share this post


Link to post
Share on other sites

I apologize for my lack of knowledge, our Exchange admin left a few weeks ago and this was thrown on me. I am by no means an Exchange expert, I'm just trying to keep things afloat until a new Admin is hired. I spent the last week searching for Exchange exploits and "lockdown" policies that weren't currently being used. We were delisted from the PSBL blacklist, so I assumed we had taken a step in the direction. The reason we haven't reset each of the user's passwords is because there are approximately 400 users on the box which isn't that much, but these users would object to having to update all of their passwords on the client side. Where in the logs would I be able to decipher which user's have been compromised? Again, I do appreciate everyone's help, I'm sure you or someone you know has been in this spot before.

Share this post


Link to post
Share on other sites
does Perl need to be on the exchange server itself or can it be on a seperate server?

19196[/snapback]

Any machine with internet access. Does not have to be a server.

Share this post


Link to post
Share on other sites
I apologize for my lack of knowledge, our Exchange admin left a few weeks ago and this was thrown on me. I am by no means an Exchange expert, I'm just trying to keep things afloat until a new Admin is hired.

19201[/snapback]

...Wow, that's a perfect scary Halloween stroy! :) <g>

...Would you have agreed to "fill in" for, say, a brain surgeon? It might have seemed that being an Exchange Admin isn't in the same class of endeavor but .... :) <g>

<snip>

The reason we haven't reset each of the user's passwords is because there are approximately 400 users on the box which isn't that much, but these users would object to having to update all of their passwords on the client side.

19201[/snapback]

...They might also object to having to leave the building in the event of a bomb scare. Personally, I'm wouldn't be overly concerned -- your network's integrity and the good name of your employer (or whomever's Exchange Server this is) is far more important, IMHO. :) <g>

I'm sure you or someone you know has been in this spot before.

19201[/snapback]

...Nope, I don't know of anyone who "owns" the operation of an Exchange Server (that's not you -- that's [apparently] whomever asked you to fill in) who is that irresponsible. :) <g>

Share this post


Link to post
Share on other sites

Please don't take this the wrong way, all I am here for though is to seek help. I didn't ask for this situation, it was thrown at me (not optional here). I am going to take the next step and reset each user's password as recommended. If anyone can provide any further constructive help, I'd greatly appreciate it. Thanks to those of you that have helped..

Edited by jkee

Share this post


Link to post
Share on other sites
Please don't take this the wrong way, all I am here for though is to seek help. I didn't ask for this situation, it was thrown at me (not optional here). I am going to take the next step and reset each user's password as recommended. If anyone can provide any further constructive help, I'd greatly appreciate it. Thanks to those of you that have helped..

19204[/snapback]

...And I hope you didn't take what I wrote the wrong way. I was trying (in my perhaps too-subtle way) to say that you've been asked to take on a role that (unbeknownst to you, and with your having only the best intentions and the good of your colleagues in mind) you have been victimized; seduced into a responsibility that you are not sufficiently trained to do well. This, in my view, was irresponsible of whomever asked you to do it, not irresponsible on your part.

Share this post


Link to post
Share on other sites

No, I knew it wasn't personal, it's just been frustrating dealing with all of this stuff and I know that I'm not equipped to manage this solution. I just have some rather high profile customers on the server that don't understand the spam listings very well and get easily angered when their email is rejected. I do appreciate everyone's help though and look forward to getting this resolved..

Share this post


Link to post
Share on other sites

I'm agreeing with Steve T's sentimants and remarks. Knowing a bit of your story up front may have softened a bit of the commentary here (or maybe not ..)

Anyway, you say you've studied the FAQ, tried to accomplish data found there, but one of the things i don't see is the suggestion that you look at a few of the recent Topics, one of which gets right to the heart of the difference between user, role, and system accounts. Start with http://forum.spamcop.net/forums/index.php?showtopic=2891 best described by that user's line of "HOLY #$%* ! I can't believe I missed that!" .... these are the accounts/passowrds I've been pointing to that you've not yet mentioned ....

Another; http://forum.spamcop.net/forums/index.php?showtopic=2864 ... possibly best described as "Who's in charge?"

Another - no feedback on closure; http://forum.spamcop.net/forums/index.php?showtopic=2887

Point being, you are not alone in trying to deal with the monster that Microsoft put into the world .... and you are certainly not the first that came here carrying the "I've done everything right, so what the ***** is the problem" situation <g>

You have to picture those hundred bred/born/raised Microsoft software guys, sitting in their brightly lit office spaces, buried deep within the Microsoft empire/campus, working on computers specifically set-up and optmized to run nothing but Microsoft certified sodtware and applications, surrounded on all sides by firewalls, filtering, and protections systems and devices ran by another hundred Microsoft software engineers ... and the product they developed worked just fine "there" .... how were they to know that "you" were going to hook it up directly to the Interent? <g> That wasn't the plan that they had when designing this application ....

Share this post


Link to post
Share on other sites
does Perl need to be on the exchange server itself or can it be on a seperate server?

Any box that can make a port 25 TCP connection to the machine you want to test.

I tested your Exchange server from one of my own servers.

Share this post


Link to post
Share on other sites

I did read those first two posts prior to posting, but why does Microsoft advise to keep the Basic Authentication and Integrated Windows Authentication checked? To be honest, you have all been very helpful, most forums get perhaps one response per day and this one has been outstanding (despite the subtle sarcasm)... I addressed the issue with the SMTP Auth hack, is there a way that you can check to see if things have died down. I am working on updating all of the passwords, but I know that's not going to be an overnight change. It will get done this week whether the users like it or not, but just curious to see if we've closed all of the potential loopholes.

Thanks again.

Share this post


Link to post
Share on other sites

One place to monitor is http://www.senderbase.org/?searchBy=ipaddr...ng=208.9.211.11 ... and for the record, the current data showing is;

Report on IP address: 208.9.211.11

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ............. 3.9 .. 894%

Last 30 days ...... 3.5 .. 300%

Average ............. 2.9

Though noting that SenderBase was referenced a lot in at least one of those previously suggested other Topics ....

Share this post


Link to post
Share on other sites

Does that mean that the traffic has increased that much in the past day? Meaning everything I've done has actually done more harm than good?

Share this post


Link to post
Share on other sites
Does that mean that the traffic has increased that much in the past day? Meaning everything I've done has actually done more harm than good?

Yes, it means what it says. However, what status you are in now I can't say, as this data wasn't identified earlier ... that's why I copied it into this Topic ... "we" now have a known state and the time it was identified. A sstated, in one of the other referenced Topics, I recall being pleased to show that as I was checking it over the next 2 or 3 days, I could show that the traffic was in fact reduced. Hit the URL I provided in a few hours and see if that "last day" number is still going down (we all hope)

Share this post


Link to post
Share on other sites
Does that mean that the traffic has increased that much in the past day? Meaning everything I've done has actually done more harm than good?

19211[/snapback]

Not necessarily.

Last day is compared to the average, not to the previous day.

You would have to know what the previous day's value was to make that determination.

Wazoo, the way I read your statement "Yes, it means what it says" = change as compared to the previous day which would not agree with my understanding, though this may not be what you meant.

Edited by dbiel

Share this post


Link to post
Share on other sites

I was going with the data points, just as I was referring in the posts in the other Topic, specifically http://forum.spamcop.net/forums/index.php?...indpost&p=18985 and the following ... U kind of thought that the numbers mentioned were labelled pretty clearly (well, on the SenderBase page as compared to the plain-text version created here) .. the "Magnitude Vol Change vs. Average" line identified for the "last day" .... as stated in my last, unfortunately, none of "us" snagged and documented the data that was there yesterday, so none of us knows which way this number (now captured) has been going.

There was a time when it appeared that SenderBase reset those numbers sometime during the 24 hoir (?) period, as one IP I was fillowing dropped fomr some significant numer to zero, then started incrementing again as the day went on ... however, later follow-ups on other 'problems' now suggest that the first one must have been a database reset or something. This particular IP may take some time to show a decline as the baseline traffic amount isn't at the same level as the other IP referenced, but at least at last check (a few minutes ago) the volume increase hasn't gone up <g> So it's either that the open hole was closed .. or the spammer quit using this system due to its current condition of being listed, spewing from somewhere else while waiting for this one to de-list ...????

Share this post


Link to post
Share on other sites

On the default smtp virtual server, I unchecked the boxes for integrated windows authentication and basic windows authentication and it seemed fine, but all of a sudden all of my users were unable to send emails. I have since rechecked the boxes and it's enabled sending, any ideas? Thanks

Share this post


Link to post
Share on other sites
On the default smtp virtual server, I unchecked the boxes for integrated windows authentication and basic windows authentication and it seemed fine, but all of a sudden all of my users were unable to send emails. I have since rechecked the boxes and it's enabled sending, any ideas? Thanks

19246[/snapback]

Do any of your users need to log into your network from outside of your local network (ie the internet) for the purpose of sending email.

Note: most outside users only need to access email to retreive it. They are able to send mail using the ISP they used to connect to the internet.

If outside users need to send mail using your server then there is no way to disable SMTP authentication.

It they can send mail using their own ISP then you can disable remote SMTP authentication

It is NOT the same thing as integrated windows authentication and basic windows authentication.

It sound like you need to hire an outside specialist to come in for a day or two to clean up the entire server setup.

Unfortunately you have found yourself in a very dangerous postion (not of your own making) Your employer has asked you to pilot the Space Shuttle because you have a license to drive a car (the space shuttle is just another vehicle is it not?) Setting up an exchange server correctly is an extremely complex process.

Good luck in your endeavours, but I strongly suggest getting some professional help, before you find your employer blaming you for problems that are way over your head to handle while forgeting the fact that he forced you into the position in the first place.

Edited by dbiel

Share this post


Link to post
Share on other sites
On the default smtp virtual server, I unchecked the boxes for integrated windows authentication and basic windows authentication and it seemed fine, but all of a sudden all of my users were unable to send emails. I have since rechecked the boxes and it's enabled sending, any ideas? Thanks

19246[/snapback]

After changing passwords for all unused accounts like Guest and Administrator etc. and then turning off the ones you are not using then everyone using your system (Except the spammer that broke into it) should change their password.

Actually you should change it and have them contact you to find out what it is.

You should also look at the Microsoft site to find out how to lock your system down

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×