RE: Server hacked/being used as spammers haven...

Hello Robin,

Thank you for posting here.

According to your description, I understand that your note that Exchange
2000 on SBS 2000 send many spam emails outbound. If I have misunderstood
the problem, please don't hesitate to let me know.

Based on my research, I think your Exchange 2000 may open SMTP relay. I
suggest we try the steps in the following KB to block the open SMTP relay
on your Exchange 2000:

How to block open SMTP relaying and clean up Exchange Server SMTP queues in
Windows Small Business Server
http://support.microsoft.com/?id=324958

If we cannot resolve the issue after we perform the above steps, please
help me collect some information for further investigation:

1. Enable SMTP logging and gather SMTP log to troubleshoot the issue:

A. Open Exchange System Manager, expand Servers -> <Server name> ->
Protocols -> SMTP, right-click "Default SMTP Virtual Server" and click
Properties.

B. Under the General tab, check the option "Enable Logging".

C. With "W3C Extended Log File Format", click "Properties".

D. Under "General Properties", make sure "Use local time for file naming
and rollover" is CHECKED.

E. Switch to the "Extended Properties", and then select to enable All the
logging Options.

F. Click OK to apply the modification.

G. Right-click Default SMTP Virtual Server and click Stop.

H. Right-click Default SMTP Virtual Server and click Start to restart the
SMTP server.

I. Reproduce the issue, repeat step G to stop Default SMTP Virtual Server,
copy out or zip the SMTP log files in the
"%systemroot%\system32\logfiles\SmtpSvc1" folder, and then restart the
"Default SMTP Virtual Server".

2. Please collect the MPS Report for Exchange:

a) Download MPSRPT_Exchange.EXE from the following link:
http://www.microsoft.com/downloads/details.aspx?familyid=cebf3c7c-7ca5-408f-
88b7-f9c79b7306c0&displaylang=en

b) Double-click the executable file to start the report gathering tool, and
then accept the end-user licensing agreement (EULA). Note Please be patient
while MPS Reports collects data. The tool may appear to stop responding
(hang) because it may take from five to 15 minutes to collect the data.

c) The tool creates a CAB file named "%COMPUTERNAME%_MPSReports_.CAB" in
the %systemroot%\MPSReports\Setup\Reports\Cab folder. The CAB file contains
the reports that the MPS Reporting Tool generated. If the tool does not
create the CAB file, copy all the files in the
%systemroot%\MPSReport\Setup\Reports folder to a compressed (zipped) file.
Note The %systemroot% folder is the folder where you installed the
operating system. By default, this is the C:\WINDOWS folder.

d) Send me the CAB file or the compressed (zipped) file at:
v-terliu@xxxxxxxxxxxxxx

For more information, please refer to the following article:
818742 Overview of the Microsoft Configuration Capture Utility (MPS_REPORTS)
http://support.microsoft.com/?id=8187423

I hope these steps will give you some help.

Thanks and have a nice day!

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Rlee" <tech_support@xxxxxxxxxx>
| Subject: Server hacked/being used as spammers haven...
| Date: Mon, 12 Nov 2007 19:15:23 -0700
| Lines: 32
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
| X-RFC2646: Format=Flowed; Original
| Message-ID: <O5eUPtZJIHA.4476@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: mail.uls.com 142.179.158.94
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:75499
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi there,
| Our webserver recently got hit with one of those spam senders... I will
say
| that ORF (spam blocker) has definitely helped me in noticing that we were
| being used as an
| open relay... anyway, that has been fixed.
|
| The problem is that i'm still getting some relaying through our system...
| ORF does show the emails going out, but i have no clue how they are
sending
| the emails through our server.
|
| We are using small business server 2000 with exchange 2k, isa2k, etc...
|
| Basically, the spammer is able to send mail if they somehow log onto our
| server (via 10.0.0.2)... if the spammer uses their own ip address, it does
| get blocked. They used to be able to use fake emails to relay, but now
they
| use our domain mail (@uls.com) to send them out.
|
| All emails that are sent out are from FAKE uls email accounts (they do not
| exist on our system).
|
| Any help or suggestions would be appreciated.... It has been a very very
| long week :(...
|
| My only thought is that we have a port open... we are running ISA server
2k
| in front...
|
| Thanks!
|
| ...Robin
|
|
|
|

.

Relevant Pages

  • [NT] Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (MS03-046)
    ... Get your security news from a reliable source. ... In Exchange Server 5.5, a security vulnerability exists in the Internet ... an unauthenticated attacker to connect to the SMTP port on an Exchange ...
    (Securiteam)
  • RE: SMTP error (only from Outlook)
    ... This issue appeared on specify user or all SMTP clients? ... If yes, in Exchange System ... Is there any local bridgehead server listed in "Local ... to over three dozen open relay block lists. ...
    (microsoft.public.windows.server.sbs)
  • RE: strange email errors
    ... you to check the relay configuration on the SBS server. ... please restart the SMTP virtue server and Exchange ... Please also refer to the following steps to create a new SMTP Connector to ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange issues
    ... Are you up to date on all your Service Packs, both Windows and Exchange? ... > all traffic on port 25 to the SBS Exhange server. ... I suspected SMTP relaying becuase ... > You should verify that the server really isn't an open relay: ...
    (microsoft.public.exchange2000.admin)
  • RE: Your message did not reach some or all of the intended recipients.
    ... Thank you for posting in the SBS newsgroup. ... protocol error (SMTP error). ... 284204 Delivery Status Notifications in Exchange 2000 Server ... emails, and using DNS to send outbound emails. ...
    (microsoft.public.windows.server.sbs)