Iphone

I have got one of my customers' servers here as it has gone crazy. It is running SBS 2003. It is generating an enormous amount of SPAM messages and from reading through many questions here is sounds exactly like a dictionary attack. All except for the fact that I have configured (and quadruple checked the set up of) recipient filtering.

I run Symantec Antivirus on it, I have just installed a trial version of Symantec Antivirus for Microsoft Exchange and another malware scanning app that I can't remember the name of right now. They have all come up with nothing on full scans.

I am having to constantly use the aqadmcli delmsg flags=all tool to empty the smtp queues, but I think the mail is generating at least as fast as the tool deletes it.

About half of the messages when I check them in the queue are from postmaster@domainname.co.uk which points towards an NDR attack, but I am sure that I have switched off NDRs.

The messages are mainly going to msa.hinet.net, yahoo.com.tw, etc.

So to recap, no relaying, tarpit setup (regisrty entry checked), recipient filtering set up, up to date antivirus but smtp queue filling rapidly with spam even when unplugged from the network.

Please help, I am going out of my mind here and have been working till 4am for the last couple of days trying to sort this out!!!

Iphone

The messages could appear to be still being generated, but I doubt whether they are.
ESM is notorious for not showing the true extent of the queues. A spammer will usually drop and run, and they will drop many thousands of messages in a single hit. Exchange ESM cannot show you all of those messages in one go, so it looks like they continue to appear even with the machine disconnected.

Spam doesn't generate on its own. The spammer is usually created elsewhere and is simply sent through the compromised machine. To get something on to the machine, the server would have to be totally compromised - and the level of compromise depends on how the server was exposed to the internet.

As for the eml messages that you may see with old dates, if the server has been abused before what can often happen is that something else gets hold of the messages and stops Exchange from flushing them out. AV is the common culprit. I have also seen Exchange do odd things when it is under a very heavy load and you may have seen some signs of that.

As I wrote in my article, you usually have to repeat the process for cleaning the queues a number of times; my record is 15 over a six hour period. Only once you can leave the server for a couple of hours disconnected from the internet with clean queues do you know that the server is clean.

I doubt if the source of the messages is a machine on your network. A spammer isn't interested in finding a server to bounce the messages through. If a machine on your network has been compromised your Exchange server wouldn't know about it, as the messages would be going straight out.
Think about it for a moment - the spammer has to a, compromise the machine, b, find the Exchange server, c, create the messages in MAPI not SMTP to get Exchange to process the messages. Alternatively, the spammer just installs an SMTP engine on the machine and sends the spam out. I think I know which one is most likely.

Have you worked out how the email messages got on to your server? If they are postmaster@ messages then it is NDR spam, if not, then it was most likely either an open relay or an authenticated relay. If it was authenticated relay you need to change your administrator password. Don't bother with any other accounts, as the administrator account is the only target for this type of attack (unless a user has been very stupid with their username and password). However you may want to force all users to change their passwords or call in for a new password as a lesson for anyone who might be tempted to hand out their password to anyone else.

wmofskye

I'm having the same issue. Fighting to resolve ASAP. Can you point me in the right direction to resolve this issue?