jkee Posted October 25, 2004 Share Posted October 25, 2004 We have an Exchange server (ip 208.9.211.11) that continues to get picked up by spamcop and other black lists and I cannot seem to find the problem. Below is a recent example of mail sent to another spamtrap. Any help is greatly appreciated. From polynomialplotters[at]excite.com Sat Oct 23 16:09:13 2004 Delivery-date: Sat, 23 Oct 2004 16:09:13 -0400 Received: from [208.9.211.11] (helo=mail3.wsolutions.net) by mail.victim.example with esmtp (Exim 4.41) id 1CLSCP-0006dM-Qw for psbltrap[at]kernelnewbies.nl; Sat, 23 Oct 2004 16:09:13 -0400 Received: from sashay ([200.140.36.124]) by mail3.wsolutions.net with Microsoft SMTPSVC(5.0.2195.6713); Sat, 23 Oct 2004 15:09:15 -0500 From: "Teresita Julian"<polynomialplotters[at]excite.com> To: psbltrap[at]kernelnewbies.nl Subject: VA1ll|UM, C|AI|I1S, Vl|AGRA. . . Mime-Version: 1.0 Date: 23 Oct 2004 15:09:18 -0500 http://[MUNGED] http://[MUNGED] http://[MUNGED] Cl|CK HERE KN0W MORE http://[MUNGED]/as#polis Thanks Link to comment Share on other sites More sharing options...
Wazoo Posted October 25, 2004 Share Posted October 25, 2004 This is obviously a silly question ... have you yet taken a look at the FAQ here? There are numerous links to Exchange server issues, sources for what to look for and how to fix/patch/work-around most of them .... and that this same "issue" came up a half-dozen times just last week, resulting in several existing Topics / discussions from other Exchange server folks, most resulting in problems found/repaired ... have you looked at these other "unblock me ..." Topics" Link to comment Share on other sites More sharing options...
Merlyn Posted October 25, 2004 Share Posted October 25, 2004 To add to what Wazoo said, look for SMTP Auth Hack. The spammers are validating themselves on your server. Link to comment Share on other sites More sharing options...
GraemeL Posted October 25, 2004 Share Posted October 25, 2004 You have an account "info" with the password the same as the username. This is probably what the spammers are using to authenticate and use your server as a relay. If you do not require remote users to be able to relay through your server, you should disable the SMTP AUTH option. Instructions for doing this can be found by following the links in the FAQ. Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 Thanks for all of your help. Yes, I did scour the FAQ prior to posting as we've been at this for a week or so. After doing everything I could find in terms of locking down the server, my worst fear was that they were authenticating, but before I started making all of the users change their password, this was my last resort. Your help is greatly appreciated. I have gone ahead and changed the info user's password, is there a way that I can check this as you do? Thanks again for all of your help, hopefully this does it.. Link to comment Share on other sites More sharing options...
GraemeL Posted October 25, 2004 Share Posted October 25, 2004 s there a way that I can check this as you do? If you have a machine with perl installed on it, drop me a PM with an email address I can use to contact you. Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 does Perl need to be on the exchange server itself or can it be on a seperate server? Link to comment Share on other sites More sharing options...
Wazoo Posted October 25, 2004 Share Posted October 25, 2004 You spent a week on this already, allegedly scoured all info here for help, yet only took care of one account that was pointed out with a "default" password ... and now you want to toss another "programing language" on something, but not even sure where to put it so it could run a routine offered up by some anonymous poster here (yes, this person is actually trustworthy, but .....) As suggested before, someone "there" needs to start from scratch on that server. That you were contemplating re-validating all your users was a fine first-step. I can't yet figure out why that still hasn't been done. One "role" account has had a password changed. Is anyone there knowledgable enough to go through the logs and see if any of the other accounts has in fact been compromised? The possibility that other "user" accounts have also been added (with root powers) just can't be overlooked at this point. Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 I apologize for my lack of knowledge, our Exchange admin left a few weeks ago and this was thrown on me. I am by no means an Exchange expert, I'm just trying to keep things afloat until a new Admin is hired. I spent the last week searching for Exchange exploits and "lockdown" policies that weren't currently being used. We were delisted from the PSBL blacklist, so I assumed we had taken a step in the direction. The reason we haven't reset each of the user's passwords is because there are approximately 400 users on the box which isn't that much, but these users would object to having to update all of their passwords on the client side. Where in the logs would I be able to decipher which user's have been compromised? Again, I do appreciate everyone's help, I'm sure you or someone you know has been in this spot before. Link to comment Share on other sites More sharing options...
dbiel Posted October 25, 2004 Share Posted October 25, 2004 does Perl need to be on the exchange server itself or can it be on a seperate server? 19196[/snapback] Any machine with internet access. Does not have to be a server. Link to comment Share on other sites More sharing options...
turetzsr Posted October 25, 2004 Share Posted October 25, 2004 I apologize for my lack of knowledge, our Exchange admin left a few weeks ago and this was thrown on me. I am by no means an Exchange expert, I'm just trying to keep things afloat until a new Admin is hired.19201[/snapback] ...Wow, that's a perfect scary Halloween stroy! <g> ...Would you have agreed to "fill in" for, say, a brain surgeon? It might have seemed that being an Exchange Admin isn't in the same class of endeavor but .... <g> <snip> The reason we haven't reset each of the user's passwords is because there are approximately 400 users on the box which isn't that much, but these users would object to having to update all of their passwords on the client side. 19201[/snapback] ...They might also object to having to leave the building in the event of a bomb scare. Personally, I'm wouldn't be overly concerned -- your network's integrity and the good name of your employer (or whomever's Exchange Server this is) is far more important, IMHO. <g> I'm sure you or someone you know has been in this spot before.19201[/snapback] ...Nope, I don't know of anyone who "owns" the operation of an Exchange Server (that's not you -- that's [apparently] whomever asked you to fill in) who is that irresponsible. <g> Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 Please don't take this the wrong way, all I am here for though is to seek help. I didn't ask for this situation, it was thrown at me (not optional here). I am going to take the next step and reset each user's password as recommended. If anyone can provide any further constructive help, I'd greatly appreciate it. Thanks to those of you that have helped.. Link to comment Share on other sites More sharing options...
turetzsr Posted October 25, 2004 Share Posted October 25, 2004 Please don't take this the wrong way, all I am here for though is to seek help. I didn't ask for this situation, it was thrown at me (not optional here). I am going to take the next step and reset each user's password as recommended. If anyone can provide any further constructive help, I'd greatly appreciate it. Thanks to those of you that have helped..19204[/snapback] ...And I hope you didn't take what I wrote the wrong way. I was trying (in my perhaps too-subtle way) to say that you've been asked to take on a role that (unbeknownst to you, and with your having only the best intentions and the good of your colleagues in mind) you have been victimized; seduced into a responsibility that you are not sufficiently trained to do well. This, in my view, was irresponsible of whomever asked you to do it, not irresponsible on your part. Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 No, I knew it wasn't personal, it's just been frustrating dealing with all of this stuff and I know that I'm not equipped to manage this solution. I just have some rather high profile customers on the server that don't understand the spam listings very well and get easily angered when their email is rejected. I do appreciate everyone's help though and look forward to getting this resolved.. Link to comment Share on other sites More sharing options...
Wazoo Posted October 25, 2004 Share Posted October 25, 2004 I'm agreeing with Steve T's sentimants and remarks. Knowing a bit of your story up front may have softened a bit of the commentary here (or maybe not ..) Anyway, you say you've studied the FAQ, tried to accomplish data found there, but one of the things i don't see is the suggestion that you look at a few of the recent Topics, one of which gets right to the heart of the difference between user, role, and system accounts. Start with http://forum.spamcop.net/forums/index.php?showtopic=2891 best described by that user's line of "HOLY #$%* ! I can't believe I missed that!" .... these are the accounts/passowrds I've been pointing to that you've not yet mentioned .... Another; http://forum.spamcop.net/forums/index.php?showtopic=2864 ... possibly best described as "Who's in charge?" Another - no feedback on closure; http://forum.spamcop.net/forums/index.php?showtopic=2887 Point being, you are not alone in trying to deal with the monster that Microsoft put into the world .... and you are certainly not the first that came here carrying the "I've done everything right, so what the ***** is the problem" situation <g> You have to picture those hundred bred/born/raised Microsoft software guys, sitting in their brightly lit office spaces, buried deep within the Microsoft empire/campus, working on computers specifically set-up and optmized to run nothing but Microsoft certified sodtware and applications, surrounded on all sides by firewalls, filtering, and protections systems and devices ran by another hundred Microsoft software engineers ... and the product they developed worked just fine "there" .... how were they to know that "you" were going to hook it up directly to the Interent? <g> That wasn't the plan that they had when designing this application .... Link to comment Share on other sites More sharing options...
GraemeL Posted October 25, 2004 Share Posted October 25, 2004 does Perl need to be on the exchange server itself or can it be on a seperate server? Any box that can make a port 25 TCP connection to the machine you want to test. I tested your Exchange server from one of my own servers. Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 I did read those first two posts prior to posting, but why does Microsoft advise to keep the Basic Authentication and Integrated Windows Authentication checked? To be honest, you have all been very helpful, most forums get perhaps one response per day and this one has been outstanding (despite the subtle sarcasm)... I addressed the issue with the SMTP Auth hack, is there a way that you can check to see if things have died down. I am working on updating all of the passwords, but I know that's not going to be an overnight change. It will get done this week whether the users like it or not, but just curious to see if we've closed all of the potential loopholes. Thanks again. Link to comment Share on other sites More sharing options...
Wazoo Posted October 25, 2004 Share Posted October 25, 2004 One place to monitor is http://www.senderbase.org/?searchBy=ipaddr...ng=208.9.211.11 ... and for the record, the current data showing is; Report on IP address: 208.9.211.11 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ............. 3.9 .. 894% Last 30 days ...... 3.5 .. 300% Average ............. 2.9 Though noting that SenderBase was referenced a lot in at least one of those previously suggested other Topics .... Link to comment Share on other sites More sharing options...
jkee Posted October 25, 2004 Author Share Posted October 25, 2004 Does that mean that the traffic has increased that much in the past day? Meaning everything I've done has actually done more harm than good? Link to comment Share on other sites More sharing options...
Wazoo Posted October 26, 2004 Share Posted October 26, 2004 Does that mean that the traffic has increased that much in the past day? Meaning everything I've done has actually done more harm than good? Yes, it means what it says. However, what status you are in now I can't say, as this data wasn't identified earlier ... that's why I copied it into this Topic ... "we" now have a known state and the time it was identified. A sstated, in one of the other referenced Topics, I recall being pleased to show that as I was checking it over the next 2 or 3 days, I could show that the traffic was in fact reduced. Hit the URL I provided in a few hours and see if that "last day" number is still going down (we all hope) Link to comment Share on other sites More sharing options...
dbiel Posted October 26, 2004 Share Posted October 26, 2004 Does that mean that the traffic has increased that much in the past day? Meaning everything I've done has actually done more harm than good? 19211[/snapback] Not necessarily. Last day is compared to the average, not to the previous day. You would have to know what the previous day's value was to make that determination. Wazoo, the way I read your statement "Yes, it means what it says" = change as compared to the previous day which would not agree with my understanding, though this may not be what you meant. Link to comment Share on other sites More sharing options...
Wazoo Posted October 26, 2004 Share Posted October 26, 2004 I was going with the data points, just as I was referring in the posts in the other Topic, specifically http://forum.spamcop.net/forums/index.php?...indpost&p=18985 and the following ... U kind of thought that the numbers mentioned were labelled pretty clearly (well, on the SenderBase page as compared to the plain-text version created here) .. the "Magnitude Vol Change vs. Average" line identified for the "last day" .... as stated in my last, unfortunately, none of "us" snagged and documented the data that was there yesterday, so none of us knows which way this number (now captured) has been going. There was a time when it appeared that SenderBase reset those numbers sometime during the 24 hoir (?) period, as one IP I was fillowing dropped fomr some significant numer to zero, then started incrementing again as the day went on ... however, later follow-ups on other 'problems' now suggest that the first one must have been a database reset or something. This particular IP may take some time to show a decline as the baseline traffic amount isn't at the same level as the other IP referenced, but at least at last check (a few minutes ago) the volume increase hasn't gone up <g> So it's either that the open hole was closed .. or the spammer quit using this system due to its current condition of being listed, spewing from somewhere else while waiting for this one to de-list ...???? Link to comment Share on other sites More sharing options...
jkee Posted October 26, 2004 Author Share Posted October 26, 2004 On the default smtp virtual server, I unchecked the boxes for integrated windows authentication and basic windows authentication and it seemed fine, but all of a sudden all of my users were unable to send emails. I have since rechecked the boxes and it's enabled sending, any ideas? Thanks Link to comment Share on other sites More sharing options...
dbiel Posted October 26, 2004 Share Posted October 26, 2004 On the default smtp virtual server, I unchecked the boxes for integrated windows authentication and basic windows authentication and it seemed fine, but all of a sudden all of my users were unable to send emails. I have since rechecked the boxes and it's enabled sending, any ideas? Thanks19246[/snapback] Do any of your users need to log into your network from outside of your local network (ie the internet) for the purpose of sending email. Note: most outside users only need to access email to retreive it. They are able to send mail using the ISP they used to connect to the internet. If outside users need to send mail using your server then there is no way to disable SMTP authentication. It they can send mail using their own ISP then you can disable remote SMTP authentication It is NOT the same thing as integrated windows authentication and basic windows authentication. It sound like you need to hire an outside specialist to come in for a day or two to clean up the entire server setup. Unfortunately you have found yourself in a very dangerous postion (not of your own making) Your employer has asked you to pilot the Space Shuttle because you have a license to drive a car (the space shuttle is just another vehicle is it not?) Setting up an exchange server correctly is an extremely complex process. Good luck in your endeavours, but I strongly suggest getting some professional help, before you find your employer blaming you for problems that are way over your head to handle while forgeting the fact that he forced you into the position in the first place. Link to comment Share on other sites More sharing options...
Merlyn Posted October 26, 2004 Share Posted October 26, 2004 On the default smtp virtual server, I unchecked the boxes for integrated windows authentication and basic windows authentication and it seemed fine, but all of a sudden all of my users were unable to send emails. I have since rechecked the boxes and it's enabled sending, any ideas? Thanks 19246[/snapback] After changing passwords for all unused accounts like Guest and Administrator etc. and then turning off the ones you are not using then everyone using your system (Except the spammer that broke into it) should change their password. Actually you should change it and have them contact you to find out what it is. You should also look at the Microsoft site to find out how to lock your system down Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.