2

It appears that there is a virus on my network somewhere that is sending phishing emails through my exchange server. I can see the messages in message tracking and I see many SMTP errors for NDR's and rejected connections from external servers, but I do not see any SMTP authentications and I have logging up to MAX. How can I find the IP or hostname of the PC that is infected? Or is there some other explanation than virus?

Anti-virus scan on server is clean. Server is not an open relay.

Thanks

therulebookman
  • 340
  • 2
  • 4
  • 9

5 Answers5

2

Tell your firewall to drop any outgoing SMTP packets to all hosts except your mail server. That'll prevent any direct SMTP spam from any of your potentially infected workstations.

You say that your mail server is not an open relay, but are you allowing relays from the LAN? Alot of people do this when they setup MFPs, scanners, etc. You can test by hopping on another workstation and doing:

telnet <your.mail.server.ip> 25
helo <mail.yourdomain.tld>
mail from: nobody@example.com
rcpt to: somebody@notyourdomain.com

if you get back 250 OK, you're allowing relays, and a bot can easily be relaying mail out off your mail server.

To find the workstation that's spamming, grab a laptop, install WireShark. Put your laptop on a hub (make sure it's a hub), and plug your LAN interface on your firewall into hub port #2, and then plug another cable from hub port #3 into the LAN interface.

Light up the capture, with a display filter like:

tcp.port eq 25 && src.ip != <your.mail.server.ip>

gravyface
  • 13,947
  • 16
  • 65
  • 100
  • no relaying from inside either unless it is from one specific server. Tested with your method. Couldn't I just use wireshark on the server itself to avoid downtime with the laptop/hub method? – therulebookman Apr 23 '10 at 14:12
  • From the server, you'll only see packets routed to the server (besides broadcast stuff) itself, not the whole network. I'd want to see everything trying to get out. Shouldn't really be any downtime -- just a quick in/out that shouldn't be noticed. – gravyface Apr 23 '10 at 17:21
1

You could be the victim of a Reverse NDR Spam attack. Called Backscatter by some.. Check this article. It talks about SBS 2003 but Exchange has the same issue. This attack seems more common right now.

Have a look at this as well. More info perhaps. We saw this exact behavior in our Ex 2003 box recently. NDR Spam

MS KB Article

Wesley
  • 32,320
  • 9
  • 80
  • 116
Dave M
  • 4,494
  • 21
  • 30
  • 30
  • that doesn't seem to be the issue. According to the KB article the emails would have a sender of *postmaster*@mydomain.com but the emails have a sender of "service@paypal.com" I'm not paypal. Is there any way to determine the IP of origin of these emails? – therulebookman Apr 22 '10 at 17:54
  • See my updates please – Dave M Apr 22 '10 at 18:48
  • You specifically had the paypal situation? And essentially the solution was to enable recipient filtering? – therulebookman Apr 23 '10 at 13:28
  • I think recipient filtering fixed it, but I'm really not sure. I can't remember all the things I tried. It's fixed one way or another. – therulebookman May 10 '10 at 19:25
0

Can you view the mail headers on those phishing emails? Look for Received: from line. It will tell you what computer that message is coming from.

->> Received: from infected.computer ([192.168.1.X]) <<---
        by your.exchange.server with ESMTP id 34si302829pzk.67.2010.04.22.11.58.26;
solefald
  • 2,303
  • 15
  • 14
0

If you don't get anywhere with this soon it might be worth running wireshark with a suitable filter to capture just the SMTP stuff. That way you'll certainly see which system is involved, even if the header is faked.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
0

Check if recipient filtering is turned on or off. If it's turned off and Exchange is configured to send NDR's, the server will probably accept mail sent to non existing users, causing the queue to fill up with NDR's.

Turning recipient filtering on most likely prevents this. Mails sent to non existing users simply won't be accepted by Exchange.

gazorp
  • 31
  • 1
  • 3