drax Posted August 25, 2004 Share Posted August 25, 2004 We were recently reported that spam was originating from our Mail Server (SpamCop list) and have subsequently investigated that we may have been compromised by the Exchange 2000/SMTP Auth Exploit. I have run the following checklist: 1. Double checked we are not an open relay 2. Closed relaying completely. I have unticked the "Allow all comuters which succesfully authenticate to relay, regardless of the list above" and entered the internal IP address of our mail server into the list of computers granted relay permission. 3. Checked the mail server is up to date with Windows/exchange patches. 4. Changed the administrator account username and password. 5. Enforced a new password policy of our users at next password change point. According to the following article : A New Kind Of Attack I should be looking out for Event ID 528's, of which I have seen none. It says I should also enable "account object auditing" but is a tad unclear about what I should be auditing as the Windows security logs are full of audits of mailbox/folder access auditing. However, I cannot see anything in the security log relating to the SMTP virtual server access. Where should I be looking for this? Anyway, despite all these changes we have made I still notice the occasional entry in out message tracking log files of messages that look like their being relayed through our mail server. How is this possible? I have noticed that all our genuine looking external mail in these logs has a full dns domain name in the Client-hostname field yet the suspect looking mail has names such as "popularly" (184.108.40.206) and "screamer" (220.127.116.11). If anyone could shed some light on the situation Id be extremely gratefull Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.