Need some assistance

Telarin · October 21, 2008

So I came in yesterday to a mail server spewing thousands of phishing emails out to the internet. After disabling email and spending several hours cleaning out clogged mail queues I brought the server back online and began trying to figure out how it happened.

Standard relay tests against my mail server (24.149.202.2) show that it will not relay, which is as it should be, so I am left wondering how someone got these messages into the queues in the first place. The only thing I can come up with is that they somehow compromised a user account that had relay permission. I have temporarily disabled relay permission on all user account for the time being until I figure out what went wrong.

The server is Exchange 2003 all current patches and service packs installed, IP address given above. Feel free to do any non-destructive testing against it you like. Maybe someone can come up with something that I missed.

Log entries show standard submissions:

2008-10-19	  9:36:13 GMT	 213.221.211.234 User	-	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1019	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  9:36:13 GMT	 213.221.211.234 User	-	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1025	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  9:36:14 GMT	 213.221.211.234 User	-	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1024	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  9:36:14 GMT	 213.221.211.234 User	-	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1033	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  9:36:14 GMT	 213.221.211.234 User	-	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1034	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  9:36:14 GMT	 213.221.211.234 User	-	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1020	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  9:36:14 GMT	 213.221.211.234 User	mta441.mail.re4.yahoo.com	   GIASERVER	   192.168.1.3	 jwonline005[at]yahoo.com   1031	GIASERVERkfb81IfpT80000034c[at]giaserver.gia-tx.com		3	   0	   435	 1	   2008-10-19 9:36:9 GMT   0	   Version: 6.0.3790.211   -		whats up chase?		support[at]quickloansdirect.org	-
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 annfar[at]naxs.net 1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 annerdog[at]gateway.net	1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 annblackledge[at]peoplepc.com	  1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 ankletj[at]netscape.net	1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 anklets[at]netscape.net	1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 anicemit[at]academicplanet.com	 1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -
2008-10-19	  11:54:33 GMT	209.113.246.98  User	-	   GIASERVER	   192.168.1.3	 angrydragon[at]ala.nu	  1019	GIASERVERQvXlaoY99E0000034d[at]giaserver.gia-tx.com		3	   0	   4431	50	  2008-10-19 11:54:25 GMT 0	   Version: 6.0.3790.211   -		New Message from Chase Online(SM)	  smrfs[at]chaseonline.chasejpmorgan.com	 -

The first few entries appear to have been a test probe, and then a couple hours later, the submission of spew began...

The message IDs are not the standard format for emails submitted through Exchanges submission protocol from Outlook. Those ID should be of the format "[MessageID][at]giaserver.AGENA.local"

Thoughts or comments?

Farelf · October 21, 2008

Hi Will,

FWIW the only change I see to your DNS records and service scan (DomainDossier) since your little problem with SORBS is in your rDNS (added 24.149.202.2.biz.sta.comcastbusiness.net to existing giaserver.gia-tx.com) - can't see what that has to do with anything but it is unusual, and a change.

The other unusual thing is your SMTP response to VRFY and EXPN requests (and to unknown addresses) which is pretty nifty and certainly wouldn't cause any problems (no doubt prevent a few, which is the 'why', I guess, I didn't know you could just hold the transaction until timeout).

The 'foreign' message ID with your exchange server in the string is undoubtedly significant but IANAT, to coin an acronym.

Farelf · October 22, 2008

BTW "Exchange 2003 all current patches and service packs installed" brings a wry smile to my dial. That was the description of our server when it was happily relaying spam, almost getting us thrown off the internet in consequence. Turned out either it had never been secured against basic SMTP AUTH hacking (a process, changing the lousy defaults, not a patch as such IIUC - http://support.microsoft.com/kb/823019) or there were some non-Exchange specific patches that had not been applied. Or both. I forget the detail. Anyway, our tech guy, once he saw the thing was actually relaying when it "couldn't" had it fixed real quick. Just had to get over the "that's impossible" reaction first. The wonder of it all was how come it hadn't been hacked before it finally was. Nothing so simple in your case, I'm sure.

Farelf · January 27, 2009

http://www.robtex.com/ip/24.149.202.2.html shows (of course) not on any blocklists so you evidently got it fixed. Anything to share that might benefit others?

Sign In

Need some assistance

Recommended Posts

Telarin

Link to comment

Share on other sites

Farelf

Link to comment

Share on other sites

Farelf

Link to comment

Share on other sites

Farelf

Link to comment

Share on other sites

Archived

Browse

Activity