Stopping spam on Exchange Server

[egotrip21]

Guys,

I would really appreciate some help on this topic.

Windows 2000 (SP4) with Exchange 2000. (SP3). I know I dont have an open relay.

I understand the basics of exchange as far as configuring and administrating goes. But the finer points of spam prevention are escaping me. I need to be pointed in the right direction as far as best practices.

I have been doing some research and apparently my server is still sending out spam, even though I have disabled all accounts that dont belong to the system or active users.

Is there a way I can track down for sure the user who is sending all this spam? I enabled a bunch of logging on the server, and been watching it for the past few days.. I havent been able to find any auth information in the event logs.

There needs to be a more efficient way of doing this without switching to another mail server or purchasing more software/hardware.

1) Is there a way of tracking and logging access to smtp?

2) Is there a way of tracking down the user account used to authenticate?

3) Is there a way to test for vunerabilities that may open my server to breaches?

4) Is there a best practices guideline for a secure exchange installation?

I really do appreciate any help that can be given to me. I have been googling for info, but I seem to be drowning with information that just isnt helping.

thanks

[Miss Betsy]

You will have to wait until the couple of regulars who know about these things show up for an anwer. (or try spamcop.geeks where there are more posters who are knowledgeable).

I do know there are a number of vulnerabilities that have been mentioned with MS Exchange (IIRC, they have to do with passwords - the default for the admin password is easily manipulated by spammers). Another thing, I think you need to check the ports - the spammer uses certain ports to send the spam. I forget at the moment whether it is logs or just to see if there are open ports.

If you try a search on topics, you might find a few posts about MS Exchange that would help you.

HTHAL

Miss Betsy

[Spambo]

Guys,

I would really appreciate some help on this topic.

Windows 2000 (SP4) with Exchange 2000. (SP3). I know I dont have an open relay.

[snip]

I really do appreciate any help that can be given to me. I have been googling for info, but I seem to be drowning with information that just isnt helping.

thanks

I'm not really familiar with Exchange but perhaps this SC FAQ page will be helpful.

[egotrip21]

Gah!

Since last night when I rebooted the server (roughly 9 hours ago) 3 gigs worth of "traffic" has passed through my server! Thats over 100,000 badmail items within 9 hours?

I dont have a guest account enabled, I disabled that account as one of the first things. Is it possible that its still usable via IIS somewhere?

Ports? How can spammers use different ports to send mail? SMTP is only on port 25? I do have a firewall with limited ports open just for mail and web access. Its not the best firewall, but it does its job.

What I dont understand is it seems to be getting worse?! I need to stop the bleeding.. I just dont know how. All answers are very appreciated

[Merlyn]

Did you disable the guest account?

On the accounts you left on the machine have you forced all users to change their passwords?

You might want to start here: http://www.securityfocus.com/infocus/1572

[mrmaxx]

One thing I seem to recall is if you have Exchange configured so that anyone with an address in your domain can send, then you're effectively an open relay as Exchange only checks the reply-to and/or from address to see if it's a valid user... it doesn't check to see if it's coming from a user logged into the domain, it just assumes that if the alleged sender is using your domain, then they must be a valid sender. Also, make sure you don't have it configured to accept connections from anyone in your IP range (internal) as IIRC, Exchange doesn't check that very well either... it accepts spoofed IP addresses...

Now, I won't swear that this is correct, but it's what I seem to recall hearing... :-)

[egotrip21]

MrMaxx,

The relay option is one that I tinkered with yesterday. It was set to accept from all users in my internal subnet. I changed that to relaying mail JUST from my exchange servers internal IP address. Everyone else now much authenticate.

Can people without a mailbox (i.e. users with just a domain account) send or relay mail?

[StevenUnderwood]

My understanding (I do not use Exchange) is that ANY account on that box is authorized to send email from it, so ALL accounts on the box should be disabled or passwords reset using strong passwords.

As far as the ports, email can usually be configured to accept on any port, but 25 is the default. There could also be a small program installed on your machine which allows people from the outside to connect to some other port and then have full access to the box to do whatever they want with it. You mention a firewall installed, so you may want to check the firewall logs and see if anything shows up connecting to an internal host (even a workstaton) that shouldn't be.

With that amount of unauthorized traffic going through the box, you may be better off disconnecting it from the internet can figuring out the problem you have.

Good luck, many of have been there at one time or another.

[WB8TYW]

First of all, post the I.P. number that the spam is coming out of. There are many people that can run standard vulnerablity tests, or can look up what DNSbls that you are currently listed in. Many of the DNSbls will show if they found a specific vulnerability.

Check your backup operator account, per a post in another thread. Their backup software vendor set up a test account with an easy to guess password.

A spammer will use any vulnerability to send spam. If you have an SMS license , install the Network Packet Monitor on a machine and watch the traffic from the port.

Otherwise look at getting a commercial packet analyzer or ethereal (open source version), or hire a consultant to do the checks.

If you have a web or ftp server on the exchange server try turning it off to see if that stops the traffic. If so, it would indicate a web form vulnerabiliy.

You may have an open proxy, or other malware on your machine, or on the machine of any of the users that are authorized to use your machine.

-John

Personal Opinion Only

[Ellen]

Gah!

Since last night when I rebooted the server (roughly 9 hours ago) 3 gigs worth of "traffic" has passed through my server! Thats over 100,000 badmail items within 9 hours?

I dont have a guest account enabled, I disabled that account as one of the first things. Is it possible that its still usable via IIS somewhere?

Ports? How can spammers use different ports to send mail? SMTP is only on port 25? I do have a firewall with limited ports open just for mail and web access. Its not the best firewall, but it does its job.

What I dont understand is it seems to be getting worse?! I need to stop the bleeding.. I just dont know how. All answers are very appreciated

Sounds like the SMTP/AUTH exploit if it is exchange. You can send me the IP to the address in the sig and I will look at the database and see if there are spamtrap hits or reports.

Faq: http://news.spamcop.net/cgi-bin/fom?file=372

This exploit allows spammers to relay thru your exchange server. This relaying does not show up using standard open relay tests as the spammer has gained "legal" access to your server by hacking an account/password combination.

[egotrip21]

Hi guys,

I finally got off the spam list, after cutting down a massive amount of spam on my system. These are the steps that I took, that hopefully will help someone else who had my problem If anyone can perhaps fill in some gaps, or point out things I may have overlooked, that would be very appreciated!

1) Close the relay - Yes, this is the first step, one that was done with the origional install of the Exchange server, so this isnt new. However what IS new is the IP restrictions that I locked down. Instead of having my internal subnet available (192.168.0.0) I locked out everyone BUT the exchange server and the exchange server loopback. The users are still able to send through it, so I'm happy.

2) Authenticated users - I unchecked the box that allows users to relay despite ip restrictions if they authenticate. I have pop3 users, but for now I am having them use OWA. This setting only seems useful if you have IMAP or pop3 users, so if you dont? Uncheck it.

3) Audit user accounts - I had a few guest and test accounts still available. If someone was able to enumerate the accounts on your server, they may be able to guess or brute force passwords on accounts like the infamous "guest" or "test". Make sure ALL non-used accounts are disabled or deleted. Also I encourage strong passwords (8 digits, alpha numeric, capitals included).

4) IP laterals - Adding these to Exchange helped me to fall in to compliance with the smtp RFC which some blacklists insist that you comply with. Basically all it does is allow you to receive email on the IP address of your exchange server in addition to your domain name (postmaster[at][0.0.0.0] for example)

5) Watch the queues - I noticed 15,000 messages going to aol.com - I was willing to bet that 99.99% of those messages were completely illegitimate spam. Delete those queues after you have secured your site. This will hopefully stop the delivery of spam to those sits, and also save bandwidth and hard disk space from all the NDR's your going to get stored in your badmail folder.

I hope this aids someone, and again, if there is anything else that will be helpful in securing exchange, PLEASE add it. I am also expirementing with account logging in my exchange environment in hopes of finding the user name thats being abused.

Thanks!

[jseymour]

I finally got off the spam list, after cutting down a massive amount of spam on my system. These are the steps that I took, that hopefully will help someone else who had my problem

I took a different approach to securing my Exchange server. I put a Linux box in front of it!

Also I encourage strong passwords (8 digits, alpha numeric, capitals included).

In the olden days (of NT4), Windows networking passwords could be up to 14 characters long, but were internally hashed in groups of 7 character. Thus, if you had an 8-character password, the last character would be by itself in the hash - and would be trivial to determine.

I'm not sure if this weakness went away with W2K or XP or if it's still around, but I still recommend longer passwords...