Re: Security issue with relaying

From: Kirill Palagin (kpalagin_at_no.phxint.mail.ru)
Date: 03/14/05 

Date: Mon, 14 Mar 2005 12:56:54 +0300

Also, there is a awkward way of capturing all messages - remove Delete right
from \inetpub\mailroot\Queue folder from all accounts. This will prevent II SMTP
from removing delivered messages (and might cause duplicates and other side
effects). This will leave you with files which you can open with Outlook
Express.

john Smith wrote:

> Hi guys need some help here. Running SBS2003 (Exchange 2003) and have an
> issue where I have all relaying stopped, except for authorised users (as we
> have remote users that require smtp access with aurthorisation). I also run
> the "archive all messages sent through the stroe" option.
>
> From the usage reports, I have been able to identify that typically on the
> weekends, one user account (who is computer illiterate) is being used ot
> send mail in the order of 1.7 GB for 1-2000 e-mails. This traffic is not
> showing up in the archive mailbox.
>
> I have rechecked all of my relaying options and checked externally that the
> realying is in fact being blocked. I have changed the user's password and
> also changed the login name (to an alias such as Jacko rather than
> mjackson). The login name worked for one week then was breached. I feel
> that it is a personal contact of the user that is doing this without the
> knowledge of the user. It is not the user himself and he does not know who
> it may be.
>
> Via the security logs of the sever (secuiryt audit log) I ahve been able to
> determine password guessing attempts on other high profile company users.
>
> On the SMTP virtual server under access/ relay/users, I have explicity set
> the relaying and submit permissions to DENIED to force all traffic to go
> through the outlook/OWA rather tahn any other format.
>
> I have checked the user's PC for any trojans etc. IN fact, his PC is always
> powered off when the e-mail is sent.
>
> How are these guys still gaining access? WHat can I do? What are these
> people sending that averages 1MB per e-mail???
>
> So far about 8 GB of unauthorised e-mail has been sent.
>
> All help greatly appreciated.
>
> Cheers
>
> Michael.

Relevant Pages

  • Remove SMTP
    ... I have a few users that are no longer w/the company. ... their accounts in AD but I want to remove their SMTP address. ... correctly to prevent relaying. ...
    (microsoft.public.exchange2000.admin)
  • Re: MS Exchange Relay Authentication
    ... Make sure you are logging Exchange SMTP interface events. ... Relay restrictions are set to "allow all computers ... > eventlog errors to track down the compromised accounts. ...
    (NT-Bugtraq)
  • Re: Email programs that work.
    ... multiple accounts since one wouldn't want the same filters to apply to all ... All my home filters only apply to my home mail. ... simple SMTP interface so they can do away with the command line altogether. ... the fact that it passes through an SMTP server prior to the work ...
    (Debian-User)
  • Re: All external email for new users being delivered to administrator
    ... The administrator receives the original message. ... It is not all user accounts but does now appear to be all new accounts ... "Internal" messages don't use the SMTP address. ... The 'failing' accounts have the same group memberships as working ...
    (microsoft.public.exchange.admin)
  • Re: SBS2003 Exchange Server and BES
    ... I can send to accounts inside AD and to other doamin accounts but do ... Default Server: ns1.myisp.com ... >>My default SMTP virtual server properties has all unassigned IP's on ... >>What is the best practice on Authentication in the Authentication Tab? ...
    (microsoft.public.windows.server.sbs)
Loading