RE: Relaying Problem question - still fighting it!

  • From: "Rick Parsons" <rick@xxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 30 Sep 2003 20:42:42 +0100

Hi Ken,
 
Recently had the same problem, it was a virus, Turn on maximum logging
for the smtp service after running anti virus software /stingers etc to
ensure you are virus clear, the relaying will still carry on but you
will be able to see via the logging which accounts have been
compromised.  We the just disabled the relevant accounts, the logs tell
us that the spammer is still trying every 20 minutes or so but fails to
authenticate and therefore cannot relay. It also confirms that we have
got rid of the virus and closed the holes by doing every update
available because, the spammer can no longer log on or find any other
accounts Passwords etc.
 
Hope this may help.
 
Best regards.
 
Rick Parsons
 
-----Original Message-----
From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] 
Sent: 30 September 2003 18:32
To: [ExchangeList]
Subject: [exchangelist] Relaying Problem question - still fighting it!
 
http://www.MSExchange.org/
Hi,
 
Our server has been compromised by an outside session using an internal
name/password, and our E2K server queues keep on filling up. I have had
up to 400 queues created over night and some of the queues can have well
over 600 messages each waiting to be sent (I have frozen most of my
queues as a precaution). These relays are being set up after we are
closed. 
 
I am curious to see if anyone can answer the question of who would have
the rights to create a remote session to relay? Does it have to be an
admin account or can it be a standard user? 
I have eliminated the Fire Wall by placing it on the restrictions for
the SMTP. and have unchecked the allow all to relay. So I am stumped as
to how they are still being able to set up the relaying. My next plan is
a forced network wide password change, after that...... I have to come
up with a "Plan C". 
 
I am having the problem of trying to convince the powers that be, that
all user accounts need to have their passwords changed in order to
eliminate this hack. I am also recommending that our Domain Admin
accounts be made into guest accounts and new Domain Admin accounts be
created. Does anyone have any other suggestions and or reading that I
could do. So far I have found very little on this type of attack.
 
Thanks for your help!
Ken
 
         
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
rick@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 

Other related posts: