Hi,
I have an Exchange server version 2010 Sp3. It is not an open relay however I discovered it was sending spam.
I've limited the max recipient number so only 50 recipients can receive any 1 email, this will limit the amount of spam that can be sent if it gets through - if I view a message property I can see the source IP and block that IP range in my default receive connector - OK until the IP of the spammer changes. Normally the Source IP would be 255.255.255.255 but in my case on spam emails is 92.223.197.87 - well it is today.
So how is spam being sent through my server?
On investigation I suspect a user account has become compromised so I have forced a password change for all users having revised the password policy on the Active Directory (Windows 2012 server) - change of password required every 90 days minimum 6 chars - mix of upper/lower case and a number and or symbol, account name prohibited in password.
However I have some users who have not changed their password as they are away and I can't force a change as it will disconnect them - these users seem to have secure enough passwords as they all seem pretty security conscious.
So my question is - is there any way I can find out from logs etc what account is being used - if that is the case? I have turned on verbose logging but searching this morning for that IP in the logs I can only see entries like the following:
2015-08-29T08:37:03.228Z,,08D2A8B116D469D0,0,132.147.155.179:25,92.223.197.87:63488,+,,
2015-08-29T08:37:03.228Z,,08D2A8B116D469D0,1,132.147.155.179:25,92.223.197.87:63488,>,421 4.3.2 Service not available,
2015-08-29T08:37:03.228Z,,08D2A8B116D469D0,2,132.147.155.179:25,92.223.197.87:63488,-,,Local however there are entries such as the following that I can see are logging connections but not from the IP in question and there is no mail being sent from this
IP
2015-08-29T08:36:12.964Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CE,16,132.147.155.179:25,66.227.62.28:34748,-,,Local
2015-08-29T08:36:51.057Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,0,132.147.155.179:25,193.189.116.44:64586,+,,
2015-08-29T08:36:51.057Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,1,132.147.155.179:25,193.189.116.44:64586,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2015-08-29T08:36:51.057Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,2,132.147.155.179:25,193.189.116.44:64586,>,"220 EXCHANGE03.rossjaye.rossjayevelleman.co.uk Microsoft ESMTP MAIL Service ready at Sat, 29 Aug 2015 09:36:49 +0100",
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,3,132.147.155.179:25,193.189.116.44:64586,<,EHLO User,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,4,132.147.155.179:25,193.189.116.44:64586,>,250-EXCHANGE03.rossjaye.rossjayevelleman.co.uk Hello [193.189.116.44],
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,5,132.147.155.179:25,193.189.116.44:64586,>,250-SIZE,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,6,132.147.155.179:25,193.189.116.44:64586,>,250-PIPELINING,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,7,132.147.155.179:25,193.189.116.44:64586,>,250-DSN,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,8,132.147.155.179:25,193.189.116.44:64586,>,250-ENHANCEDSTATUSCODES,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,9,132.147.155.179:25,193.189.116.44:64586,>,250-STARTTLS,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,10,132.147.155.179:25,193.189.116.44:64586,>,250-X-ANONYMOUSTLS,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,11,132.147.155.179:25,193.189.116.44:64586,>,250-AUTH NTLM,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,12,132.147.155.179:25,193.189.116.44:64586,>,250-X-EXPS GSSAPI NTLM,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,13,132.147.155.179:25,193.189.116.44:64586,>,250-8BITMIME,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,14,132.147.155.179:25,193.189.116.44:64586,>,250-BINARYMIME,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,15,132.147.155.179:25,193.189.116.44:64586,>,250-CHUNKING,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,16,132.147.155.179:25,193.189.116.44:64586,>,250-XEXCH50,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,17,132.147.155.179:25,193.189.116.44:64586,>,250-XRDST,
2015-08-29T08:36:51.104Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,18,132.147.155.179:25,193.189.116.44:64586,>,250 XSHADOW,
2015-08-29T08:36:51.166Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,19,132.147.155.179:25,193.189.116.44:64586,<,QUIT,
2015-08-29T08:36:51.166Z,EXCHANGE03\Default EXCHANGE03,08D2A8B116D469CF,20,132.147.155.179:25,193.189.116.44:64586,>,221 2.0.0 Service closing transmission channel,
Several others that have
EXCHANGE03,08D2A8B116D46252,24,132.147.155.179:25,95.6.33.215:24708,>,550 5.7.1 Unable to relay,
At present all is Ok as I have, as previously stated, blocked the offending IP but I really need to find out how this is happening and if it is, as I suspect a compromised account - find out which one!! Oh one other thing I forgot to mention: I have unticked the receive connector permission group Exchange Users option that specifies who is allowed to connect to the receive connector so I can't understand how an auth user can connect as this option is now not available!
Any help would be appreciated.
- Edited by RobertMallett 16 hours 48 minutes ago