dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5
share rss forum feed

tomdlgns
Premium
join:2003-03-21
Chicago, IL
kudos:1
reply to workablob

Re: Exchange Server Hacked

create a firewall rule to block the email port from all LAN computers

create another firewall rule to allow your exchange server to send on the email port

i don't know if your server was compromised from the LAN or the WAN, but i think those rules are best practice.



craig70130
Premium
join:2004-04-27
New Orleans, LA

If the messages are showing in the Outbound queue, the server itself is doing the sending so the firewall rule won't help in this case but it's a good thing to do.

I would suspect malware on a PC causing the problems assuming you truly aren't an open relay.


tomdlgns
Premium
join:2003-03-21
Chicago, IL
kudos:1

gotcha, good point.

all he would need to do is block port 25, correct? a compromised computer wouldn't try to send using a secure port(s), would it?



craig70130
Premium
join:2004-04-27
New Orleans, LA

The point being that a compromised computer may be sending crap via the Exchange server. Since the user is authenticated, the server is accepting the message.



workablob

join:2004-06-09
Houston, TX
kudos:2
reply to tomdlgns

The Connected Sessions were all from outside as the IPs were all Internet Routable.

Thanks,

Blob
--
I may have been born yesterday. But it wasn't at night.


tomdlgns
Premium
join:2003-03-21
Chicago, IL
kudos:1

can you lookup the IPs to see who they belong to? is it a block? i'd start by blocking access to those IPs in your firewall if you still see this happening in the next few days.



workablob

join:2004-06-09
Houston, TX
kudos:2

The have not returned since I unchecked 'Allow all computers that successfully authenticate...'.

If I see them again I sure will.

Blob
--
I may have been born yesterday. But it wasn't at night.



urbanriot
Premium
join:2004-10-18
Canada
kudos:3
Reviews:
·Cogeco Cable
reply to workablob

said by workablob:

I discovered my outbound queue had 50K messages.

I have been through the Open-Relay hardening process already and am running on port 587 with Comcast SMTP as a smart host..

Yea, that's the most common experience I have with growing sites that haven't appropriately locked down their server yet went for years and years without issue.

said by workablob:

The Connected Sessions were all from outside as the IPs were all Internet Routable.

Make sure these aren't bounceback messages! Your issue could still be internal...


workablob

join:2004-06-09
Houston, TX
kudos:2
Reviews:
·Comcast

I've been monitoring the queues and they have not reconnected and the outbound queue is normal.

Thank you for the advice my friend

I can use all I can get.

Blob
--
I may have been born yesterday. But it wasn't at night.