Need Help Diagnosing Spam Source
From: "Richard K"
Subject: Need Help Diagnosing Spam Source
Date: Fri, 3 Oct 2008 10:17:57 -0400
Newsgroups: microsoft.public.windows.server.sbs
SBS 2003 Std. server (call him Company1) with Windows XP clients
Trend Micro WFBS on network
I have been working on an issue with spam mail that is causing RBL issues.
At first I was thinking it was a virus somewhere in the network either using
Company1 Exchange as the sourcing to send these spam mails or the XP client
himself was sending port 25 traffic. Now I'm thinking I may have an open
relay where some outside source is using the Company1 Exchange to send the
mails. I have found an example which helps explain my thoughts.
1. I look in the Company1 Exchange MTS for any messages I see for a period
of time. I see TONS of messages which tells me it is the Company1 Exchange
box sending the messages and not some rougue XP client
2. I started receiving some more spam to my email address in my office SBS
(Company2) These messages were intended for an email address at Company1
that I have a forward on to my server at Company2
3. I have found a specific message that is in the Company1 MTS AND that I
received via the forward so I can match up that the email did originate from
the Company1 SBS server.
4. When I look at the details of the message in the Company1 MTS the
"Sender" is not anyone on the network ("dolore-'riclite@palpilot.com.tw")
5. I have attached the Internet Headers of this message that I get in my
Outlook. This message was not caught by the AV.
Q1 - How are these messages getting into the Exchange queue of the Comany1
SBS? From an client machine or am I missing some type of authentication
and/or have a relay open and something is using the Company1 Exchange server
as its engine?
Q2 - What do I need to do to make sure only valid users on the Company1
network may send emails via the Company1 Exchange and that I don't have any
relay issues?
Thanks!
-Richard K
Microsoft Mail Internet Headers Version 2.0
Received: from vms172071pub.verizon.net ([206.46.172.71]) by foxdtechllc.com
with Microsoft SMTPSVC(6.0.3790.1830);
Wed, 1 Oct 2008 05:18:20 -0400
Return-path: dolore-'riclite@palpilot.com.tw
Received: from fergusontrenching.com ([151.196.94.114])
by vms172071.mailsrvcs.net
(Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))
with ESMTPA id <0K810057WZ6JTXJ3@vms172071.mailsrvcs.net> for
rkokoski@foxdtechllc.com; Wed, 01 Oct 2008 04:18:19 -0500 (CDT)
Received: from [125.131.129.1] ([125.131.129.1]) by fergusontrenching.com
with
Microsoft SMTPSVC(6.0.3790.3959); Wed, 01 Oct 2008 05:18:17 -0400
Date: Wed, 01 Oct 2008 18:18:16 +0900
From: dolore <dolore-'riclite@palpilot.com.tw>
Subject: Warning
To: <postmaster@fergusontrenching.com>
Message-id: <000b01c923a6$a340b540$0181837d@APSEODESKBHPARK>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-type: multipart/alternative;
boundary="----=_NextPart_000_000C_01C923F2.13285D40"
Content-class: urn:content-classes:message
Thread-topic: Warning
Thread-index: Ackj8hMocknXUw0QSHGI/D/CTZsDJA==
X-MS-TNEF-Correlator:
X-TM-AS-Product-Ver: SMEX-8.1.0.1092-5.500.1027-16190.006
X-TM-AS-Result: Yes-43.210500-5.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-OriginalArrivalTime: 01 Oct 2008 09:18:17.0787 (UTC)
FILETIME=[A3E2E8B0:01C923A6]
------=_NextPart_000_000C_01C923F2.13285D40
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_000C_01C923F2.13285D40
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
------=_NextPart_000_000C_01C923F2.13285D40-
**************************************
From: "Lanwench [MVP - Exchange]"
Date: Fri, 3 Oct 2008 11:11:04 -0400
Richard K wrote:
> SBS 2003 Std. server (call him Company1) with Windows XP clients
> Trend Micro WFBS on network
>
> I have been working on an issue with spam mail that is causing RBL
> issues.
What do you mean by RBL issues?
> At first I was thinking it was a virus somewhere in the
> network either using Company1 Exchange as the sourcing to send these
> spam mails or the XP client himself was sending port 25 traffic.
You can block your clients from accessing the Internet on anything besides
80 & 443. That's not a bad plan in general....do this in ISA or your
perimeter firewall.
> Now
> I'm thinking I may have an open relay where some outside source is
> using the Company1 Exchange to send the mails.
Unlikely, unless you specifically enabled that. Exchange does not permit
open relay out of the box. It permits authenticated relay, which I generally
disable unless absolutely necessary - but if you have a good password policy
you shouldn't worry about that overmuch. .
> I have found an
> example which helps explain my thoughts.
> 1. I look in the Company1 Exchange MTS for any messages I see for a
> period of time. I see TONS of messages which tells me it is the
> Company1 Exchange box sending the messages and not some rougue XP
> client
Well, it's sending *messages* - including NDRs to spammers who tried to send
*you* their junk. This doesn't demonstrate spammers are relaying through
your server.
> 2. I started receiving some more spam to my email address in my
> office SBS (Company2) These messages were intended for an email
> address at Company1 that I have a forward on to my server at Company2
OK - not sure what that demonstrates.
> 3. I have found a specific message that is in the Company1 MTS AND
> that I received via the forward so I can match up that the email did
> originate from the Company1 SBS server.
Well - you demonstrated that it was mail sent to your address at
company1 -not that it *originated* there. Did you look at the headers?
> 4. When I look at the details of the message in the Company1 MTS the
> "Sender" is not anyone on the network
> (dolore-'riclite@palpilot.com.tw)
Right. Because the sender is a spammer. The spammer sent mail *to* you - not
*through* you.
> 5. I have attached the Internet Headers of this message that I get
> in my Outlook. This message was not caught by the AV.
Sure, why would it be, unless it had a virus-laden or otherwise bad
attachment?
>
> Q1 - How are these messages getting into the Exchange queue of the
> Comany1 SBS? From an client machine or am I missing some type of
> authentication and/or have a relay open and something is using the
> Company1 Exchange server as its engine?
You're just getting spam. You aren't creating it.
> Q2 - What do I need to do to make sure only valid users on the
> Company1 network may send emails via the Company1 Exchange and that I
> don't have any relay issues?
Look in your virtual SMTP server properties, relay settings. But it's that
way now, I promise, unless you deliberately changed it.
See http://www.msexchange.org/tutorials/MF005.html for a good overview of
relaying and spam.
>
> Thanks!
**************************************
From: "Richard K"
Date: Fri, 3 Oct 2008 11:58:56 -0400
RBL issues - The external IP address (151.196.94.114) is listed in various
RBLs include CBL and Spamhaus. We thought we have cleaned the network of
any issues (according to the latest TM WFBS reports we are clean) but then
the IP gets put back on the RBL again as a spam sourcer. This is the
primary reason for this thread along with some other thread questions I have
had. I am having trouble identify the culprit.
This is SBS 2003 std so no ISA. The SBS has a dual nic set up and the XP
clients must go through the server to get outside.
I looked at your link on possible relays and I believe you are correct about
the relay in the case. All appears set up correctly
I see your point about the NDRs now and it makes sense. In the example I
included (internet header) as I read it: it is coming from
"dolore-'riclite@palpilot.com.tw" being sent to
"postmaster@fergusontrenching.com" The "postmaster" address is just another
SMTP address attached to the administrator account. That same administrator
account has a forward set up to my email address (rkokoski@foxdtechllc.com),
hence that is how I ultimately get the spam.
Bottom line Lanwrench... I'm just trying to figure out how the IP address is
consistently reappearing on the RBL lists and I'm kind of stuck. This
server is also being bombarded with incoming spam mail and I am looking at
options to have email first "cleaned" to cut down on the amount of incoming
spam mail that may reach the server for it to then have to process in some
form.
Thanks for any assistance and guidance!
-Richard K
**************************************
From: "Lanwench [MVP - Exchange]"
Date: Fri, 3 Oct 2008 12:30:19 -0400
Richard K <rkokoski@foxdtechllc.com> wrote:
> RBL issues - The external IP address (151.196.94.114) is listed in
> various RBLs include CBL and Spamhaus.
Ah, you mean you've been blacklisted. The blacklisting should explain why.
Do you send out a lot of mass mailings?
What antivirus/workstation security software do you run?
> We thought we have cleaned
> the network of any issues (according to the latest TM WFBS reports we
> are clean) but then the IP gets put back on the RBL again as a spam
> sourcer. This is the primary reason for this thread along with some
> other thread questions I have had. I am having trouble identify the
> culprit.
> This is SBS 2003 std so no ISA. The SBS has a dual nic set up and
> the XP clients must go through the server to get outside.
Do you use a good perimeter firewall appliance? I don't like the two-NIC
setup unless you've got Premium and use ISA. Multihomed DCs cause problems.
Your setup isn't as secure as it ought to be, either, unless you've got a
good firewall.
>
> I looked at your link on possible relays and I believe you are
> correct about the relay in the case. All appears set up correctly
>
> I see your point about the NDRs now and it makes sense. In the
> example I included (internet header) as I read it: it is coming from
> "dolore-'riclite@palpilot.com.tw" being sent to
> "postmaster@fergusontrenching.com" The "postmaster" address is just
> another SMTP address attached to the administrator account. That
> same administrator account has a forward set up to my email address
> (rkokoski@foxdtechllc.com), hence that is how I ultimately get the
> spam.
> Bottom line Lanwrench... I'm just trying to figure out how the IP
> address is consistently reappearing on the RBL lists and I'm kind of
> stuck. This server is also being bombarded with incoming spam mail
> and I am looking at options to have email first "cleaned" to cut down
> on the amount of incoming spam mail that may reach the server for it
> to then have to process in some form.
Sure. I'd check out Postini or MailFoundry or MXLogic.
**************************************
From: RichardK
Date: Fri, 3 Oct 2008 10:28:01 -0700
We are using Trend Micro WFBS Advanced for server and XP workstions. All are
up to date. The blacklisting only indicates the IP (151.196.94.114) has been
a source of spam mails and not much else. Maybe you can see something I
cannot see for that IP.
The dual nic set up is the standard setup I employ. In this case it's what
I inherited. Between the external nic and the DSL there is a Netgear FVS318
appliance with limited incoming port openings (443, 4125, 3389, 25) but I
don't see it with much more capability. I know you mentioned possibly one
of the XP clients opening it's own port 25 and sending the spam. Am I
assuming correctly this can even be done since it would have to go through
the dual nic SBS box? In my scheme the FVS318 will only know the SBS
external NIC IP address since the XP clients are natted to a completely
different subnet off of the inside LAN nic. Without the capability of the
FVS318 to limit outbound port traffic the only thing I came across is a step
by step on how to create and AD policy to shut down port 25 to all XP clients
since none of them should be using it.
I appreciate all of your input!!
-Richard K
**************************************
From: "Lanwench [MVP - Exchange]"
Date: Fri, 3 Oct 2008 13:42:57 -0400
Richard K wrote:
> We are using Trend Micro WFBS Advanced for server and XP workstions.
Have you run a full scan recently?
> All are up to date. The blacklisting only indicates the IP
> (151.196.94.114) has been a source of spam mails and not much else.
> Maybe you can see something I cannot see for that IP.
I just did a lookup on dnsreport.com and it's listed in several places.
>
> The dual nic set up is the standard setup I employ. In this case
> it's what I inherited. Between the external nic and the DSL there is
> a Netgear FVS318 appliance with limited incoming port openings (443,
> 4125, 3389, 25) but I don't see it with much more capability. I
> know you mentioned possibly one of the XP clients opening it's own
> port 25 and sending the spam. Am I assuming correctly this can even
> be done since it would have to go through the dual nic SBS box?
Yes.
> In
> my scheme the FVS318 will only know the SBS external NIC IP address
> since the XP clients are natted to a completely different subnet off
> of the inside LAN nic. Without the capability of the FVS318 to limit
> outbound port traffic
I think it can, but I don't know how (haven't used one of those for a
while). I'd get a better firewall appliance that can do this for you. Your
workstations shouldn't need to access the Internet on anything other than 80
or 443 for most purposes.
> the only thing I came across is a step by step
> on how to create and AD policy to shut down port 25 to all XP clients
> since none of them should be using it.
I wouldn't do it this way.
>
> I appreciate all of your input!!
What about mass mailings? Does this client do a lot?
**************************************
From: RichardK
Date: Fri, 3 Oct 2008 11:32:14 -0700
I am running full scans every night until I get this problem solved. Hence
the "clean" reports I get every morning. I know it's listed in several
places with CBL and spamhaus the ones I am really paying attention to.
the ports open are 25,44,3389, 4125 for all INCOMING traffic. I cannot find
anywhere on that appliance to control outbound traffic ports. I use 3389 to
RDP directly to the server and 4125 for RWW. I have not applied the GP for
the port 25 shutdown but without the right hardware I'm limited in my options
right now. This client does not do alot of mass mailings but indirectly I
think they are doing them with some bot causing the problems. I just have
not found it yet.
**************************************
Date: Fri, 03 Oct 2008 19:35:35 +0100
From: stephen
Richard K wrote:
> We are using Trend Micro WFBS Advanced for server and XP workstions. All are
> up to date. The blacklisting only indicates the IP (151.196.94.114) has been
> a source of spam mails and not much else. Maybe you can see something I
> cannot see for that IP.
You mentioned that you would like your mail pre-filtered. WFBS Advanced
allows you to set up the Trend Interscan Messaging Hosted Security
service which is a free malware scanning service. You can register for
the service at the Trend site. You basically change your MX to point to
their server and tell them your server's IP. It's a half-decent system,
but my major gripe is that they don't permit messages > 10MB on the
basic, free service and silently discard them (no NDR to sender).
http://cbl.abuseat.org/lookup.cgi?ip=151.196.94.114&.submit=Lookup
says that you are infected with a spam bot. I would change that SBS to a
one nic and block and log port 25 at the firewall from everything bar
SBS. The cuprit workstation will soon be revealed from the logged denials.
Failing that, install a network monitoring tool on your server and
examine the internal nic traffic to find the rogue PC. Ethereal or the
Microsoft Network monitor will do the trick.
Also make sure you have recipient filtering in Exchange to stop you
sending backscatter.
Install and run a quick scan of MalwareBytes anti-malware on every
workstation. It will find a fix stuff that Trend doesn't.
--
stephen
**************************************
From: RichardK
Date: Fri, 3 Oct 2008 11:59:01 -0700
I know about the TM WFBS service but I have not set it up yet and tested. I
did not know about the 10MB limit but glad I found that out. I'm surprise
their default action would not be to just send it on it's way vs. reject with
no NDR.
I do see in the netgear appliance where I can block specific outbound ports
based on LAN address. I am thinking this obviosly won't work with the dual
nic since the WAN and LANs are on the seperate subnets or can I (10.0.16.x
WAN and 10.0.0.x LAN). I am thinking if I specify anything in the 10.0.0.x
range the router does not see that address since it's natted. Out of
curiousity.... I have always seen the preaching of using a dual nic model for
the SBS. What's with the single nic design "being better"?
Can you please explain more about "Also make sure you have recipient
filtering in Exchange to stop you sending backscatter." I'm not sure what
you are referring to here.
**************************************
From: "SteveB"
Date: Fri, 3 Oct 2008 12:20:17 -0700
There has always been a debate about dual NICs on SBS. I have always
preferred that along with ISA for my clients, but again others are adamantly
against that configuration. It now becomes a moot point with SBS 2008 (based
on Windows Server 2008) where you can no longer have dual NICs at all.
**************************************
Date: Fri, 03 Oct 2008 20:26:14 +0100
From: Stephen
Richard K wrote:
> I know about the TM WFBS service but I have not set it up yet and tested. I
> did not know about the 10MB limit but glad I found that out. I'm surprise
> their default action would not be to just send it on it's way vs. reject with
> no NDR.
I complained about that to Trend. It makes it unusable in my book. Shame
really, because it's a decent system for the money! I personally use
MailScanner on an external server to prefilter my mail (and our clients).
>
> I do see in the netgear appliance where I can block specific outbound ports
> based on LAN address. I am thinking this obviosly won't work with the dual
> nic since the WAN and LANs are on the seperate subnets or can I (10.0.16.x
> WAN and 10.0.0.x LAN). I am thinking if I specify anything in the 10.0.0.x
> range the router does not see that address since it's natted. Out of
> curiousity.... I have always seen the preaching of using a dual nic model for
> the SBS. What's with the single nic design "being better"?
Yes, I'm not sure if the Netgear does egress filtering. If not, it's not
much of a firewall appliance. If you're handy with Linux or BSD you can
set up your own firewall on an old PC with 2 nics, or install one of the
opensource firewall products on it. Personally, I use OpenBSD pf in
bridge mode so filter my traffic.
The problem with the dual nic setup is that your SBS box is performing
NAT for your workstations so your firewall sees all outbound traffic
with the SBS IP address. You can't therefore block workstations at the
firewall. I'm not all that familar with the SBS RRAS firewall in the
standard dual nic setup, but you may be able to do something there.
> Can you please explain more about "Also make sure you have recipient
> filtering in Exchange to stop you sending backscatter." I'm not sure what
> you are referring to here.
If this is not on, then exchange accepts all mail and then sends an NDR
if the recipient address doesn't exist on your server to the apparent
sender address, which can be forged. This is backscatter and spammers
can exploit it to get your server to send out spammy NDRs to arbitrary
victim address. With recipient filtering on, a message to a non-existent
address is rejected at the SMTP stage so the responsibily for the NDR
lies with the sending server, not yours. There are 2 places to check
this setting in exchange: properties of message delivery in global
settings and in the smtp virtual server advanced IP settings.
--
stephen
**************************************
From: "Lanwench [MVP - Exchange]"
Date: Fri, 3 Oct 2008 15:21:58 -0400
Richard K wrote:
> I know about the TM WFBS service but I have not set it up yet and
> tested. I did not know about the 10MB limit but glad I found that
> out. I'm surprise their default action would not be to just send it
> on it's way vs. reject with no NDR.
Yep - agreed. I hadn't known that either. I would check out MailFoundry. If
you have fewer than 10 addresses, they won't charge for their hosted
service.
>
> I do see in the netgear appliance where I can block specific outbound
> ports based on LAN address.
You need to block all, allow some.
> I am thinking this obviosly won't work
> with the dual nic since the WAN and LANs are on the seperate subnets
> or can I (10.0.16.x WAN and 10.0.0.x LAN). I am thinking if I
> specify anything in the 10.0.0.x range the router does not see that
> address since it's natted. Out of curiousity.... I have always seen
> the preaching of using a dual nic model for the SBS. What's with the
> single nic design "being better"?
Outside of SBSland a multhomed DC is a real no-no. It isn't giving you much
in the way of security, and is making life more complex. It isn't even
supported in SBS2008, to the best of my knowledge.
>
>
> Can you please explain more about "Also make sure you have recipient
> filtering in Exchange to stop you sending backscatter." I'm not sure
> what you are referring to here.
Enable recipient filtering in Exchange system Manager - filter on recipients
not in the directory, etc.
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
**************************************
From: "Gregg Hill"
Date: Sat, 4 Oct 2008 00:55:27 -0700
Richard,
Search MS knowledge base for "reverse ndr" attack, make sure you are
protected, including tarpitting, then read on.
Others have recommended blocking port 25 from workstations, and you already
have the tool for it...the WFBS client firewall.
Create a new group on the Security Settings tab (do NOT import settings),
call it Firewalled Workstations, enable the client firewall in advanced
mode, set it to High so inbound/outbound traffic is blocked except for the
exception list, then delete the exception for the SMTP port. Enable the
error message pop-up, add exceptions for normal network traffic (mine popped
errors and required exceptions for port 123 for the time service; 161 and
427 to a networked HP Laserjet 3055; 135 to my SBS; and oddly enough, port
137 that is already on the exception list; port 1025; ICMP protocol). I got
tired of seeing the popup while typing this message, so I just exempted the
range from 1000 to 65535. Yes, it's overkill, but I was just testing it to
see if it would suit your needs.
To test it, go to a workstation and use Telnet on port 25 to an outside mail
server, for example, "telnet mail.microsoft.com 25" (but preferably to one
you control).You should get the server's mail greeting. Type "quit" to kill
the telnet session, then move that workstation into the new Firewalled
Workstations group. It only
takes about a minute or two for the workstation to get the new settings.
Retest with Telnet, and it should fail.
Now look at the reports on the server...oops, I cannot find firewall reports
on the server...but they are on the workstations. Move all the workstations
into that new group, then sit back and wait for someone to start yelling
that a firewall pop-up keeps showing. OK, not really, do this after hours.
Look for any popups related to port 25 (when mail clients are closed, in
case any users have POP accounts that send on port 25).
Gregg Hill
Posted with 