Banner
Spammer using apparently ‘locked down’ Exchange Server to relay spam
This is my site Written by Grant on February 23, 2011 – 8:09 pm

I had a customer this week that was warned by their ISP (also their outgoing SMTP smart-host) that they were spamming. Indeed the SMTP service was clogged with tens of thousands of sma emails and NDRs.

I checked the usual suspects such as a too-liberal netmask on the SMTP Service’s “Allow relay from these networks” – but all appeared fine.

I could see dozens of spammer connections on port 25 with Netstat and see these active connections listed in Exchange System Manager’s SMTP Service “Current Sessions” list – one thing that was odd was that all the connections were listed as from “User” instead of “[82.128.4.225]” IP address – this suggested they were actually authenticating as a user.  I figured that they were authentication as a user called “User” with a easy password set – maybe from a previous testing session or similar.  However a search of AD revealed no such user object called “User”.   It seems that this “Current Sessions” screen just shows “User” not the actual login account being used.

The next step was to turn up the detail of loggin on the Exchange SMTP Transport so it would show the actual username in the WIndows Application event logs.  The following process turns up the loggin to MAXIMUM:

1.  Start Exchange Administrator.
2.  Double-click Servers.
3.  Under Servers, right-click ServerName, and then click Properties.
4.  Click the Diagnostic Logging tab.
5.  Click MSExchangeTransport on the left.
6.  On the right, click SMTP Protocol.
7.  Under Logging Level, click Maximum.
8.  Click OK to close Server Properties.

I set this and immediatley found that a user account called “sales” was being used — I figured that the “sales” account had a simple password such as “sales” or “password” so I reset the password to something complex and left it running for another hour or two — that solved the mystery!   Mystery spammer was still hitting the box hard but it could not longer authenticate so no spam was getting through.

I sent an email to the customer advising that the password for their ‘sales’ account had been reset and advised them to make sure they all changed their passwords that day.

Moral: even for really tech-unsavvy users who complain about difficult passwords… force them to use them!

Posted in  

2 Responses »

  1. I prefer using a single, very hard to guess password, and use it for everything.

    So far, never been hacked.

  2. True – however in this instance it was a user’s account and they had set a stupidly easy to guess password — one of those tough situations in which the owner of the business insists on not having password policies as they complicate his life too much ;) In Server 2003 password policies are an all-or-none situation – at least now in Server 2008 you can have *some* folks (like the business owner) bypass password policies while the rest are forced to conform to strict password policies.

Leave a Reply

PLEASE COMPLETE THIS CAPTCHA QUESTION *