Telarin Posted October 21, 2008 Posted October 21, 2008 So I came in yesterday to a mail server spewing thousands of phishing emails out to the internet. After disabling email and spending several hours cleaning out clogged mail queues I brought the server back online and began trying to figure out how it happened. Standard relay tests against my mail server (24.149.202.2) show that it will not relay, which is as it should be, so I am left wondering how someone got these messages into the queues in the first place. The only thing I can come up with is that they somehow compromised a user account that had relay permission. I have temporarily disabled relay permission on all user account for the time being until I figure out what went wrong. The server is Exchange 2003 all current patches and service packs installed, IP address given above. Feel free to do any non-destructive testing against it you like. Maybe someone can come up with something that I missed. Log entries show standard submissions: 2008-10-19 9:36:13 GMT 213.221.211.234 User - GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1019 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 9:36:13 GMT 213.221.211.234 User - GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1025 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 9:36:14 GMT 213.221.211.234 User - GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1024 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 9:36:14 GMT 213.221.211.234 User - GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1033 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 9:36:14 GMT 213.221.211.234 User - GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1034 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 9:36:14 GMT 213.221.211.234 User - GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1020 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 9:36:14 GMT 213.221.211.234 User mta441.mail.re4.yahoo.com GIASERVER 192.168.1.3 jwonline005[at]yahoo.com 1031 GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com 3 0 435 1 2008-10-19 9:36:9 GMT 0 Version: 6.0.3790.211 - whats up chase? support[at]quickloansdirect.org - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 annfar[at]naxs.net 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 annerdog[at]gateway.net 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 annblackledge[at]peoplepc.com 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 ankletj[at]netscape.net 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 anklets[at]netscape.net 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 anicemit[at]academicplanet.com 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - 2008-10-19 11:54:33 GMT 209.113.246.98 User - GIASERVER 192.168.1.3 angrydragon[at]ala.nu 1019 GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com 3 0 4431 50 2008-10-19 11:54:25 GMT 0 Version: 6.0.3790.211 - New Message from Chase Online(SM) smrfs[at]chaseonline.chasejpmorgan.com - The first few entries appear to have been a test probe, and then a couple hours later, the submission of spew began... The message IDs are not the standard format for emails submitted through Exchanges submission protocol from Outlook. Those ID should be of the format "[MessageID][at]giaserver.AGENA.local" Thoughts or comments?
Farelf Posted October 21, 2008 Posted October 21, 2008 Hi Will, FWIW the only change I see to your DNS records and service scan (DomainDossier) since your little problem with SORBS is in your rDNS (added 24.149.202.2.biz.sta.comcastbusiness.net to existing giaserver.gia-tx.com) - can't see what that has to do with anything but it is unusual, and a change. The other unusual thing is your SMTP response to VRFY and EXPN requests (and to unknown addresses) which is pretty nifty and certainly wouldn't cause any problems (no doubt prevent a few, which is the 'why', I guess, I didn't know you could just hold the transaction until timeout). The 'foreign' message ID with your exchange server in the string is undoubtedly significant but IANAT, to coin an acronym.
Farelf Posted October 22, 2008 Posted October 22, 2008 BTW "Exchange 2003 all current patches and service packs installed" brings a wry smile to my dial. That was the description of our server when it was happily relaying spam, almost getting us thrown off the internet in consequence. Turned out either it had never been secured against basic SMTP AUTH hacking (a process, changing the lousy defaults, not a patch as such IIUC - http://support.microsoft.com/kb/823019) or there were some non-Exchange specific patches that had not been applied. Or both. I forget the detail. Anyway, our tech guy, once he saw the thing was actually relaying when it "couldn't" had it fixed real quick. Just had to get over the "that's impossible" reaction first. The wonder of it all was how come it hadn't been hacked before it finally was. Nothing so simple in your case, I'm sure.
Farelf Posted January 27, 2009 Posted January 27, 2009 http://www.robtex.com/ip/24.149.202.2.html shows (of course) not on any blocklists so you evidently got it fixed. Anything to share that might benefit others?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.