RE: Relaying Problem question - still fighting it!

  • From: "KEN MORRIS" <KMORRIS@xxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 2 Oct 2003 15:22:22 -0400

Hi Rick,
We have just finished running a scan on the system and did not find any known
virus on it, however we found one without a name, that could not be moved or
quarantined. So we are dealing with this right now. 
Is there someone out there with a couple of minutes to make sure our system
isn't open for relaying? I have checked and it doesn't appear to be, but a
second opinion would be appreciated.
Thanks
Ken
-----Original Message-----
From: Rick Parsons [mailto:rick@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, September 30, 2003 3:43 PM
To: [ExchangeList]
Subject: [exchangelist] RE: Relaying Problem question - still fighting it!


http://www.MSExchange.org/

Hi Ken,
 
Recently had the same problem, it was a virus, Turn on maximum logging for
the smtp service after running anti virus software /stingers etc to ensure
you are virus clear, the relaying will still carry on but you will be able to
see via the logging which accounts have been compromised.  We the just
disabled the relevant accounts, the logs tell us that the spammer is still
trying every 20 minutes or so but fails to authenticate and therefore cannot
relay. It also confirms that we have got rid of the virus and closed the
holes by doing every update available because, the spammer can no longer log
on or find any other accounts Passwords etc.
 
Hope this may help.
 
Best regards.
 
Rick Parsons
 
-----Original Message-----
From: KEN MORRIS [mailto:KMORRIS@xxxxxxx] 
Sent: 30 September 2003 18:32
To: [ExchangeList]
Subject: [exchangelist] Relaying Problem question - still fighting it!
 
http://www.MSExchange.org/
Hi,
 
Our server has been compromised by an outside session using an internal
name/password, and our E2K server queues keep on filling up. I have had up to
400 queues created over night and some of the queues can have well over 600
messages each waiting to be sent (I have frozen most of my queues as a
precaution). These relays are being set up after we are closed. 
 
I am curious to see if anyone can answer the question of who would have the
rights to create a remote session to relay? Does it have to be an admin
account or can it be a standard user? 
I have eliminated the Fire Wall by placing it on the restrictions for the
SMTP. and have unchecked the allow all to relay. So I am stumped as to how
they are still being able to set up the relaying. My next plan is a forced
network wide password change, after that...... I have to come up with a "Plan
C". 
 
I am having the problem of trying to convince the powers that be, that all
user accounts need to have their passwords changed in order to eliminate this
hack. I am also recommending that our Domain Admin accounts be made into
guest accounts and new Domain Admin accounts be created. Does anyone have any
other suggestions and or reading that I could do. So far I have found very
little on this type of attack.
 
Thanks for your help!
Ken
 
 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
rick@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
kmorris@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts: