Exchange: mass-email infection

[tk421]

Today I found that our Exchange 5.5 server, which was long ago closed to open-relay, was trying relay 10,000 junk emails in the IMC queue. So I'm trying to hunt down the culprit:

Even though we're closed off to open relay, I completely shut down port 25 to the outside world. So no inbound SMTP connections are coming in. Problem still persists, so I deduced that the problem was internal.

I updated definitions and ran a virus sweep with Symantec AV. Everyone came up clean (about 30 PCs).

I am using a packet capturing utility, but I am not finding any internal sessions being created to port 25. The only traffic seems to my my Exchange trying to send out all the junk email. Does Exchange/Outlook use ports other than 25 to queue up mail in the server?

I have turned off all inbound and outbound routing in Exchange and deleted all 10,000 messages. I then restarted the IMC services. However, no matter how many times I try to delete all the junk, they keep coming back. And Exchange keeps trying to send it out, even though I have turned off routing. What the heck?

I'm using Exch 5.5 SP4. Anyone got any ideas? Hoping to have this server up by tomorrow morning (Wednesday).

[Stalemate]

That could be any number of the current mass-mailing viruses trying to spread right now...

I think a deep scan should be your first step.

[rgharper]

That could be any number of the current mass-mailing viruses trying to spread right now...

I think a deep scan should be your first step.

Even that may not help since the new Beagle and Netsky viruses are using password-protected ZIP archives.

Norton is testing a "scan within archive" update that can scan passworded ZIP archives but it's still in beta. They're hoping to get it out sometime today if possible.

Message Labs can scan within passworded ZIP archives if it can find the password in the message that archive is attached to.

Dunno about McAfee or any of the other players.

[tk421]

that's a good thought. However, for the pass protected zip viruses to infect, the user has to unzip them (w/ the pass), correct? Basically, if the virus has infected, then it is already unzipped, which means a scan should detect the virus on an infected machine (though it may not turn up the virus if it hasn't already infected i.e. still in its zip file.)

Anyways, i have run a full virus sweep, and double scanned my servers. I turned up absolutely nothing.

However, I eventually got my queue to stop filling up with junk mail by adding my two servers (DC and Exchange) to the "NEVER route" list. I spent about 8 hours on this, and I have no concrete resolution, so it's a very unsatisfying victory.

[silencio]

Are you logging exchange SMTP connections? Is it possible that the messages are being sent as DSN (delivery status notifications) or delivery failures in response to an inbound email with an invalid email address or is the exchange server actually generating them?

One spam exploit goes like this. An bogus email is sent to your server with a valid domain name on your domain but non existing email address. The server then attempts to send a delivery failure to the sender. But, the sender email address is spoofed (the 'from' address or 'reply too' address') by the spammer and this is the actual target email address.

If this is the case, you should be able to look at your logs and block the IP of the true sender (the spammer). Unless, the true sender is using a distributed method of sending spam to your server which is most often not the case.

Worth a shot.

[ilovetheusers]

Just to be thorough you could run this: http://vil.nai.com/vil/stinger/

We have had it cathc quite a few things that NAV couldn't detect or clean. Heck, my mom just opened bagle on her machine and infected herself even though I just updated AVG sunday night.

[silencio]

Just to be thorough you could run this: http://vil.nai.com/vil/stinger/

We have had it cathc quite a few things that NAV couldn't detect or clean. Heck, my mom just opened bagle on her machine and infected herself even though I just updated AVG sunday night.

I know outlook blocks attachments and express has the option. I've been getting a bunch of viri lately and PCCillin won't clean it. It's blocked/locked by outlook first.

Wouldn't it be very simple for MS to release versions of outlook express with the attachment blocking ON by default?

[tk421]

the junk email stopped coming in around 8:00-8:30am. It coincided with when I blocked two of my servers' IPs. However, later on when i checked, i found the junk was still coming in. Then around 8:00 this morning, they stopped again. I think whatever I've got it's just on its own schedule, and I haven't done anything to affect it.

so basically this thing is still kicking my butt.

In checking my event logs on my Exchange, i noticed a few events 2010, that showed some random hosts, look like from other countries, are successfully authenticating as Administrator! this is very unsettling! I quickly changed my domain Administrator account. Now I am getting lots of Event ID 9318's, relating to RPC comm failure with one of my other servers. The source is the MSExchangeMTA.

That spark any ideas?

[tk421]

The majority of the junk mail is coming from sender <>. Is there a way I can deny all relaying from <>?

[silencio]

the junk email stopped coming in around 8:00-8:30am. It coincided with when I blocked two of my servers' IPs. However, later on when i checked, i found the junk was still coming in. Then around 8:00 this morning, they stopped again. I think whatever I've got it's just on its own schedule, and I haven't done anything to affect it.

so basically this thing is still kicking my butt.

In checking my event logs on my Exchange, i noticed a few events 2010, that showed some random hosts, look like from other countries, are successfully authenticating as Administrator! this is very unsettling! I quickly changed my domain Administrator account. Now I am getting lots of Event ID 9318's, relating to RPC comm failure with one of my other servers. The source is the MSExchangeMTA.

That spark any ideas?

If you changed the admin password and your admin account is used by your exchange services you need the change those passwords under services as well. Any service that uses the admin as it's logon account will need it's services password changed.

I don't know a way of blocking senders in 5.5 or 2000 but you can block IPs.

[tk421]

the exchange services use the administrator password. I changed the password on all services that depend on the admin account, and then logged off and logged on all servers using the new administrator password.

I have already tested by closing off port 25 in my router, and mail was still getting sent to my outbound queue. so it must be coming from inside. But even though there is a ton of emails coming in, I can't spot that traffic using a packet sniffer. very confused.

[silencio]

Does 5.5 give you SMTP logs like these?


This is inbound mail where the first IP is the originating IP of the mail server.

2003-07-10 23:48:49 204.127.202.55 sccrmhc11.comcast.net SMTPSVC2 TC0DMZ01 172.16.10.200 0 EHLO - +sccrmhc11.comcast.net 250 0 179 26 0 SMTP - - - -
2003-07-10 23:48:49 204.127.202.55 sccrmhc11.comcast.net SMTPSVC2 TC0DMZ01 172.16.10.200 0 MAIL - +FROM:<[email protected]> 250 0 47 45 0 SMTP - - - -
2003-07-10 23:48:49 204.127.202.55 sccrmhc11.comcast.net SMTPSVC2 TC0DMZ01 172.16.10.200 0 RCPT - +TO:<[email protected]> 250 0 32 29 0 SMTP - - - -
2003-07-10 23:48:49 204.127.202.55 sccrmhc11.comcast.net SMTPSVC2 TC0DMZ01 172.16.10.200 0 DATA - +<000001c3473d$631d7d40$0200a8c0@khorne> 250 0 123 19560 187 SMTP - - - -

This is mail sent to the SMTP server from an internal host before it is sent or queued. The first IP here is the IP of the originating sender.

2002-09-16 04:32:47 192.168.1.21 bob.com SMTPSVC1 TC0DC01 192.168.1.20 0 HELO - +bob.com 250 46 12 0 SMTP -
2002-09-16 04:32:51 192.168.1.21 bob.com SMTPSVC1 TC0DC01 192.168.1.20 0 MAIL - +from:me 250 43 12 93 SMTP -
2002-09-16 04:32:59 192.168.1.21 bob.com SMTPSVC1 TC0DC01 192.168.1.20 0 RCPT - +to:[email protected] 250 35 30 0 SMTP -
2002-09-16 04:33:05 192.168.1.21 bob.com SMTPSVC1 TC0DC01 192.168.1.20 0 DATA - <[email protected]> 250 132 16 4219 SMTP -
2002-09-16 04:33:07 192.168.1.21 bob.com SMTPSVC1 TC0DC01 192.168.1.20 0 QUIT - bob.com 0 68 4 0 SMTP -

[email protected] has been altered of course but, you should be able to look at the messages in your queue and pick out the IP of the originator. Then you can trace that IP to a user on your network.

[tk421]

Doesn't it seem like Exchange would have that kind of logging? I can find an IP address every once in a while in the logs. They're actually host names, and sometimes the host names are in the format 65-127-xx-xx.routername.someisp.com. But from what I can tell, there is not a ton coming from any one IP. But I am very confused why these users are able to relay. Sometimes in the logs it shows that Exchange has refused, it'll say Relay Prohibited. But then later in the logs it shows that it is accepting the connections. If i try making a basic SMTP connection via telnet to the server, and try to relay, it tells me Relay Prohibited.

I have consulted a few website on how to secure Exchange from open relay, including MS, and from everything I can tell I have it closed off. Maybe I need to install OS patches? I have win NT server 4.0.

[aaeaim]

This thing has made its self known on my system as well. I turned off the SMTP service the flow stopped. Allowing me to clean out my queue and badmail directectories.

I downloaded and scanned for all the known stuff from trend micro but nothing, execpt for a few trojans moved into the sprotect dir of trendmicro. As soon as I started the IIS service with SMPT, This thing started putting emails in my queue. So I shut it down last nite at 1:00am

and then again this morning it start about 5:00am it started putting the emails in the \Exchsrvr\mdbdata\priv1.ebd and \Exchsrvr\mdbdata\priv1.ebd instead of the queue. (I think it just wants to overload my disk space)

I put on a file monitor (13mb log in less than 30sec) and looked at my services and it's using "stores.exe." The other file being used is "inetinfo.exe" when the port is open for out going email.

I'm new to Exchange and so I'm going to have to to look up the file size of of Stores.exe and Inetinfo.exe that go with the versions being used but I don't think it changes them otherwise the scanners will pick it up. I don't know what to think actually. I'm grabbing at anthing... Some sort of script that brodcast emails using exchange perhaps. Any help in any direction is appreciated.

Johnny

I'm using win server 2000 w/sp4 and Exchange 2000.

[silencio]

Yuk. If you're running 2000 I'm going to have to watch out for this.