Theme

Welcome · log in · join	food

	All Forums		Hot Topics		Gallery

Forums → Software and Operating Systems →

No, I Will Not Fix Your #@$!! Computer → Re: Exchange Server Hacked

uniqs
21

« HDDs for HP EVA • Poweredge c6100 experience? »

This is a sub-selection from Exchange Server Hacked

tomdlgns Premium Member join:2003-03-21	tomdlgns to workablob Premium Member 2013-Oct-4 4:24 pm to workablob Re: Exchange Server Hacked create a firewall rule to block the email port from all LAN computers create another firewall rule to allow your exchange server to send on the email port i don't know if your server was compromised from the LAN or the WAN, but i think those rules are best practice.
	actions · 2013-Oct-4 4:24 pm ·
craig70130 Premium Member join:2004-04-27 New Orleans, LA	craig70130 Premium Member 2013-Oct-4 4:27 pm If the messages are showing in the Outbound queue, the server itself is doing the sending so the firewall rule won't help in this case but it's a good thing to do. I would suspect malware on a PC causing the problems assuming you truly aren't an open relay.
	actions · 2013-Oct-4 4:27 pm ·
tomdlgns Premium Member join:2003-03-21	tomdlgns Premium Member 2013-Oct-4 4:30 pm gotcha, good point. all he would need to do is block port 25, correct? a compromised computer wouldn't try to send using a secure port(s), would it?
	actions · 2013-Oct-4 4:30 pm ·
craig70130 Premium Member join:2004-04-27 New Orleans, LA	craig70130 Premium Member 2013-Oct-4 5:05 pm The point being that a compromised computer may be sending crap via the Exchange server. Since the user is authenticated, the server is accepting the message.
	actions · 2013-Oct-4 5:05 pm ·

workablob join:2004-06-09 Houston, TX	workablob to tomdlgns Member 2013-Oct-4 5:09 pm to tomdlgns The Connected Sessions were all from outside as the IPs were all Internet Routable. Thanks, Blob
	actions · 2013-Oct-4 5:09 pm ·
tomdlgns Premium Member join:2003-03-21	tomdlgns Premium Member 2013-Oct-4 5:23 pm can you lookup the IPs to see who they belong to? is it a block? i'd start by blocking access to those IPs in your firewall if you still see this happening in the next few days.
	actions · 2013-Oct-4 5:23 pm ·
workablob join:2004-06-09 Houston, TX	workablob Member 2013-Oct-4 5:36 pm The have not returned since I unchecked 'Allow all computers that successfully authenticate...'. If I see them again I sure will. Blob
	actions · 2013-Oct-4 5:36 pm ·
urbanriot Premium Member join:2004-10-18 Canada	urbanriot to workablob Premium Member 2013-Oct-4 7:11 pm to workablob said by workablob: I discovered my outbound queue had 50K messages. I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host.. Yea, that's the most common experience I have with growing sites that haven't appropriately locked down their server yet went for years and years without issue. said by workablob: The Connected Sessions were all from outside as the IPs were all Internet Routable. Make sure these aren't bounceback messages! Your issue could still be internal...
	actions · 2013-Oct-4 7:11 pm ·
workablob join:2004-06-09 Houston, TX	workablob Member 2013-Oct-4 9:29 pm I've been monitoring the queues and they have not reconnected and the outbound queue is normal. Thank you for the advice my friend I can use all I can get. Blob
	actions · 2013-Oct-4 9:29 pm ·

Forums → Software and Operating Systems → No, I Will Not Fix Your #@$!! Computer	« HDDs for HP EVA • Poweredge c6100 experience? »
This is a sub-selection from Exchange Server Hacked