Still looking for help here... I've found that the names listed in the SMTP log are computer names, not the usernames being used to log in... So, I guess that still leaves the possibility that one of the user accounts has had the password guessed stolen or otherwise compromised... I've enabled login auditing (Local Policies / Audit policy / Audit account logon events in the OU of the server), refreshed the policy, and the local policy editor shows the effective policy is Success, Failure... So far no nibbles though...
I'm keeping my eyes peeled. If anyone has any other ideas, I'd be very appreciative. -----Original Message----- From: Joe Pochedley Sent: Wednesday, February 11, 2004 6:17 PM To: Exchange Discussions Subject: RE: I'm being used to relay spam, how the hell do I stop it? Oh, and before someone yells at me for not specifying... I'm running Exch2000 SP3 with (I believe) all the latest patches. Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -----Original Message----- From: Joe Pochedley Sent: Wednesday, February 11, 2004 5:36 PM To: Exchange Discussions Subject: RE: I'm being used to relay spam, how the hell do I stop it? Wouldn't that username show up in the logs though? Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. -----Original Message----- From: Fyodorov, Andrey FTL [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 5:33 PM To: Exchange Discussions Subject: RE: I'm being used to relay spam, how the hell do I stop it? Could it be that they guessed one of your user accounts' password and are now successfully authenticating? -----Original Message----- From: Joe Pochedley [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 11, 2004 5:26 PM To: Exchange Discussions Subject: I'm being used to relay spam, how the hell do I stop it? After getting a complaint from one of the support staff that the amount of NDR's had increased dramatically over the past few days, I started digging... I noticed that for the last few days my SMTP logs have gotten much larger than they have been for the past two months... More digging. Reading the logs, it appears our server is accepting messages and then later in the logs I see outbound connections opening to try and deliver the messages... I know this will probably wrap horribly for the list, but I've pasted together an entire transaction from the spammer... 21:11:55 200.67.88.184 husked SMTPSVC1 SEQUOYAH 10.1.1.3 0 EHLO - =+husked 250 321 11 - - 21:12:00 200.67.88.184 husked 10.1.1.3 0 MAIL - +FROM:+<[EMAIL PROTECTED]> 250 51 39 - - 21:12:01 200.67.88.184 husked 10.1.1.3 0 RCPT - +TO:<[EMAIL PROTECTED]> 250 30 27 - - 21:12:03 200.67.88.184 husked 10.1.1.3 0 DATA - <[EMAIL PROTECTED]> 250 131 1083 - - 21:12:55 KEBIMail OutboundConnectionCommand - 25 EHLO - sequoyah.namfg.com 0 4 0 - - 21:12:55 KEBIMail OutboundConnectionResponse - 25 - - 250-kebi.com+Hello+[63.147.248.70],+pleased+to+meet+you 0 55 0 - - 21:12:55 KEBIMail OutboundConnectionCommand - 25 MAIL - FROM:<[EMAIL PROTECTED]>+SIZE=1438 0 4 0 - - 21:12:56 KEBIMail OutboundConnectionResponse - 25 - - 250+2.1.0+<[EMAIL PROTECTED]>...+Sender+ok 0 51 0 - - 21:12:56 KEBIMail OutboundConnectionCommand - 25 RCPT - TO:<[EMAIL PROTECTED]> 0 4 0 - - 21:12:56 KEBIMail OutboundConnectionResponse - 25 - - 250+2.1.5+<[EMAIL PROTECTED]>...+Recipient+ok 0 45 0 - - 21:12:56 KEBIMail OutboundConnectionCommand - 25 DATA - - 0 4 0 - - 21:12:56 KEBIMail OutboundConnectionResponse - 25 - - 354+Enter+mail,+end+with+"."+on+a+line+by+itself 0 48 0 - - 21:12:57 KEBIMail OutboundConnectionResponse - 25 - - 250+2.0.0+i1BLCts8020222+Message+accepted+for+delivery 0 54 0 - - 21:12:57 KEBIMail OutboundConnectionCommand - 25 QUIT - - 0 4 0 - - 21:12:57 KEBIMail OutboundConnectionResponse - 25 - - 221+2.0.0+kebi.com+closing+connection 0 37 0 - - In my SMTP server properties the I have relaying enabled for some specific internal IP's (all in the 10.x.x.x range) and users who authenticate... 200.67.88.184 is definitely not on that list and we do not have a user named "husked"... According to the mail relay tests that I've run, we're not a relay (Relaying Prohibited)... <<< 220 sequoyah.namfg.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Wed, 11 Feb 2004 17:02:06 -0500 >>> HELO www.abuse.net <<< 250 sequoyah.namfg.com Hello [208.31.42.77] Relay test 1 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 2 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<spamtest> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 3 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<> <<< 250 2.1.0 <>....Sender OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 4 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 5 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 550 5.7.1 Unable to relay for [EMAIL PROTECTED] Relay test 6 >>> RSET <<< 250 2.0.0 Resetting >>> MAIL FROM:<[EMAIL PROTECTED]> <<< 250 2.1.0 [EMAIL PROTECTED] OK >>> RCPT TO:<[EMAIL PROTECTED]> <<< 250 2.1.5 [EMAIL PROTECTED] >>> DATA <<< 354 Start mail input; end with <CRLF>.<CRLF> >>> (message body) <<< 250 2.6.0 <[EMAIL PROTECTED]> Queued mail for delivery Sorry for the long message, but I'm at a loss... HELP! Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
