I'm running the POP3/SMTP package that comes with Windows 2003 Server.  I've
got it setup with about ten or twenty user accounts in three different
domains.  Authentication is done with the encrypted password file method.
The SMTP server is configured to allow relay for authenticated users only.
I installed a server level virus package this weekend and noticed today that
the system was pulled to it's knees by something (quad Xeon P3s with a bit
more than a gig of ram).  On checking, I find that there are something like
26,000 messages queued up for transmit and my System logfile is full.  I'm
thinking the bogged down portion of my problem is just the virus scanner
doing it's job of checking all these messages for viruses.  The fact that
there are so many messages to check, however, is a different problem.
Anyone have ideas on how I was hijacked to relay all this SPAM?  And, more
importantly, how to fix it?  For now, I've just disconnected the router, but
that makes it a little tough for legitimate users to do their thing...
(When I just shut the SMTP and POP3 services down, I was still seeing way
too many incoming message requests on my sniffer.)

Bill

[ Post a follow-up to this message ]

a) Allowing authenticated users to relay means that someone can attempt to
guess a password - are you sure all your users have "good" passwords?

b) Are you sure the spam is 3rd party spam (ie it's not spam addressed to
one of your users - I would doubt that if it was 28,000 messages...)

c) What do you mean "hijacked"? Do you mean that someone compromised your
server and changed the settings to allow 3rd party relay?

d) In IIS Manager, right-click on "default SMTP virtual server". On the
"Access" tab click the "Relay" button. What do you have listed in the
"computer" section? And is the radio button set to "Only the list below" or
"All except the list below"?

Cheers
Ken

"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I'm running the POP3/SMTP package that comes with Windows 2003 Server.
> I've got it setup with about ten or twenty user accounts in three
> different domains.  Authentication is done with the encrypted password
> file method. The SMTP server is configured to allow relay for
> authenticated users only. I installed a server level virus package this
> weekend and noticed today that the system was pulled to it's knees by
> something (quad Xeon P3s with a bit more than a gig of ram).  On checking,
> I find that there are something like 26,000 messages queued up for
> transmit and my System logfile is full.  I'm thinking the bogged down
> portion of my problem is just the virus scanner doing it's job of checking
> all these messages for viruses.  The fact that there are so many messages
> to check, however, is a different problem. Anyone have ideas on how I was
> hijacked to relay all this SPAM?  And, more importantly, how to fix it?
> For now, I've just disconnected the router, but that makes it a little
> tough for legitimate users to do their thing... (When I just shut the SMTP
> and POP3 services down, I was still seeing way too many incoming message
> requests on my sniffer.)
>
> Bill
>

[ Post a follow-up to this message ]

Hello Bill,

Make sure that you do not have the Guest account enabled (see
www.vamsoft.com/orf/authattack.asp).

Peter

"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl...
> I'm running the POP3/SMTP package that comes with Windows 2003 Server.
I've
> got it setup with about ten or twenty user accounts in three different
> domains.  Authentication is done with the encrypted password file method.
> The SMTP server is configured to allow relay for authenticated users only.
> I installed a server level virus package this weekend and noticed today
that
> the system was pulled to it's knees by something (quad Xeon P3s with a bit
> more than a gig of ram).  On checking, I find that there are something
like
> 26,000 messages queued up for transmit and my System logfile is full.  I'm
> thinking the bogged down portion of my problem is just the virus scanner
> doing it's job of checking all these messages for viruses.  The fact that
> there are so many messages to check, however, is a different problem.
> Anyone have ideas on how I was hijacked to relay all this SPAM?  And, more
> importantly, how to fix it?  For now, I've just disconnected the router,
but
> that makes it a little tough for legitimate users to do their thing...
> (When I just shut the SMTP and POP3 services down, I was still seeing way
> too many incoming message requests on my sniffer.)
>
> Bill

[ Post a follow-up to this message ]

Thanks for the response Ken.

a) All the users have reasonably good passwords, ie., ones that won't be
found with a simple dictionary lookup scheme.  I don't know that all users
are using unique passwords on my system though, and it'd be feasible for
someone to have been careless with their password elsewhere.

b) It's all (or at least the messages I went through) 3rd party SPAM.  Sent
from some server in Korea, routed to email users who read one of the Asian
languages (I can't read it, and don't easily recognize the different between
Chinese, Korean or Japanese text).

c) I don't know if someone has compromised my server, or if I missed a step
when setting it up originally...  I'd guess the second choice is more
likely. :-(

d)  Nothing is listed in the computer section.  Radio button is set to 'All
except the list below'.  'Allow all computers which successfully
authenticate to relay' box is checked.

Here's an example header (filename is NTFS_ffdb994a01c49d4b0000942b.EML
(7.20 KB).msg.msg):
From: <aalou@°í°´´Ô>
To: <aalou@weppy.com>
Subject:  aalou °í°´´Ô...Á¦24ȸ ±Ý»êÀλïÃàÁ¦±â³ä ¼³¹® À̺¥Æ®~~@
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary=
"----=_NextPart_000_00F6_CA6F584E.59CA2DE7"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.00.2919.6700
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Return-Path: bbbb@65.183.221.249
Message-ID: <SERVERNEVJpjc0D543T0000238a@server>
X-OriginalArrivalTime: 18 Sep 2004 06:52:01.0421 (UTC)
FILETIME=[FFE03BD0:01C49D4B]
Date: 17 Sep 2004 23:52:01 -0700

Is there a way I can check to see how message got through to my system?  I'm
assuming it was authenticated, and therefore there should be some way to
tell me which user's info was used...

Best regards,
Bill Seymour

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%2389QiIrnEHA.324@TK2MSFTNGP11.phx.gbl...
> a) Allowing authenticated users to relay means that someone can attempt to
> guess a password - are you sure all your users have "good" passwords?
>
> b) Are you sure the spam is 3rd party spam (ie it's not spam addressed to
> one of your users - I would doubt that if it was 28,000 messages...)
>
> c) What do you mean "hijacked"? Do you mean that someone compromised your
> server and changed the settings to allow 3rd party relay?
>
> d) In IIS Manager, right-click on "default SMTP virtual server". On the
> "Access" tab click the "Relay" button. What do you have listed in the
> "computer" section? And is the radio button set to "Only the list below"
> or "All except the list below"?
>
> Cheers
> Ken
>
> "Bill Seymour" <billsey@dsl-only.net> wrote in message
> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... 
>
>

[ Post a follow-up to this message ]

Hi Peter, there is a Guest account (as expected) and it is disabled (also as
expected).  Should I delete it entirely, or is having the guest account
disabled not enough by itself?

Bill

"Peter Karsai" <peter.karsai@enternet.hu> wrote in message
news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl...
> Hello Bill,
>
> Make sure that you do not have the Guest account enabled (see
> www.vamsoft.com/orf/authattack.asp).
>
>  Peter
>
> "Bill Seymour" <billsey@dsl-only.net> wrote in message
> news:OQxoX9qnEHA.3564@tk2msftngp13.phx.gbl... 
> I've 
> that 
> like 
> but 
>
>

[ Post a follow-up to this message ]

OK, I changed that checkbox and I don't seem to be getting new messages into
the queue, but then they might have been coming in bursts, so I won't know
for sure for a day or so.  The problem is that now the legitimate users also
can't send or receive email.  Perhaps the authentication process is set
wrong...

Bill

"m.marien" <mm AT RiverCityCanada DOT com> wrote in message
news:10kuuomacsc9l44@corp.supernews.com...
>
> That lets everybody relay. It doesn't matter is they authenticate or not.
> I think you want to change this to:
>
> Only the list below
>
> This will stop all relaying. The exception then is if they can
> authenticate, then they can relay. You might also want to make sure the
> Anonymous access is unchecked.

[ Post a follow-up to this message ]

The guest account should be disabled, and in any case it's not the source of
your spam.

Cheers
Ken

"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:u590T21nEHA.1712@tk2msftngp13.phx.gbl...
> Hi Peter, there is a Guest account (as expected) and it is disabled (also
> as expected).  Should I delete it entirely, or is having the guest account
> disabled not enough by itself?
>
> Bill
>
> "Peter Karsai" <peter.karsai@enternet.hu> wrote in message
> news:eMTpVm0nEHA.1160@tk2msftngp13.phx.gbl... 
>
>

[ Post a follow-up to this message ]

"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:OGQEVI1nEHA.2684@TK2MSFTNGP11.phx.gbl...

> d)  Nothing is listed in the computer section.  Radio button is set to
> 'All except the list below'.  'Allow all computers which successfully
> authenticate to relay' box is checked.

This is the reason you are getting the spam. You are allowing anyone to
relay through your server.

Change the checkbox to "only the list below". Add any trusted IP addresses
(eg IP subnets on your internal LAN)

Cheers
Ken

[ Post a follow-up to this message ]

Hi,

a) Reading the documentation is a good start. It covers a lot of
information, and gives you a good background on what you need to do (eg what
clients you can use) for authentication purposes

b) Are your users on an internal trusted LAN? or are they roaming out on the
internet? If they are on the trusted LAN, add your LAN's IP
addresses/subnets to the "only the list below" in the dialogue. If they are
roaming out on the internet you will need to:
- select an authentication mechanism. IIS supports Basic and Integrated
Windows Authentication (this is actually NTLM v2 authentication)
- ensure that the users have a compatible email client. Only Microsoft
email clients (eg Outlook Express and Outlook), and maybe a handful of 3rd
party clients support NTLM v2 authentication. The rest only support Basic.
If you are using Basic auth, then the user's username/password is passed in
clear-text across the internet *unless* you enable TLS (Transport Layer
Security). TLS is basically the same as SSL (that websites use), and
encrypts the traffic between the server and client. If you already have a
certificate for your website, then you can reuse that for your SMTP server
(if the DNS names are the same).

c) <shameless plug> There's a whole chapter on securing MS SMTP server and
MS POP3 server in the IIS6 security book that I co-wrote:
http://www.amazon.com/exec/obidos/A...dopenstati0f-20 If you
want to get up-to-speed on IIS6 security quickly, then this might be a
worthwhile investment</shameless plug>

Cheers
Ken

"Bill Seymour" <billsey@dsl-only.net> wrote in message
news:u3XJRa3nEHA.1712@tk2msftngp13.phx.gbl...
> OK, I changed that checkbox and I don't seem to be getting new messages
> into the queue, but then they might have been coming in bursts, so I won't
> know for sure for a day or so.  The problem is that now the legitimate
> users also can't send or receive email.  Perhaps the authentication
> process is set wrong...
>
> Bill
>
> "m.marien" <mm AT RiverCityCanada DOT com> wrote in message
> news:10kuuomacsc9l44@corp.supernews.com... 
>
>

[ Post a follow-up to this message ]

Thanks again Ken.

a) I've been working my way through the documentation for a long time now,
but I'm sorry to say that I'm still too much in the dark. :-(

b)  The users are all out there on the internet.  I'm not able to use IP
addresses, since most have dynamic addresses, and they often connect through
different computers (ie., from work and from home).  I'm setup for encrypted
password file authentication, since I understand that using Windows
authentication requires that I setup a Windows account for each user, rather
than just an account for the POP3/SMTP server.  I haven't enabled TLS, I'd
like to get things at least working again before I complicate things.  Right
now, no one is able to authenticate, so no one can send or receive email...
Does the encrypted password file stuff work?

C) Thanks, I placed an order.  It's liable to be a week or so before it
arrives though...

"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:eQasbN4nEHA.2340@TK2MSFTNGP11.phx.gbl...
> Hi,
>
> a) Reading the documentation is a good start. It covers a lot of
> information, and gives you a good background on what you need to do (eg
> what clients you can use) for authentication purposes
>
> b) Are your users on an internal trusted LAN? or are they roaming out on
> the internet? If they are on the trusted LAN, add your LAN's IP
> addresses/subnets to the "only the list below" in the dialogue. If they
> are roaming out on the internet you will need to:
>    - select an authentication mechanism. IIS supports Basic and Integrated
> Windows Authentication (this is actually NTLM v2 authentication)
>    - ensure that the users have a compatible email client. Only Microsoft
> email clients (eg Outlook Express and Outlook), and maybe a handful of 3rd
> party clients support NTLM v2 authentication. The rest only support Basic.
> If you are using Basic auth, then the user's username/password is passed
> in clear-text across the internet *unless* you enable TLS (Transport Layer
> Security). TLS is basically the same as SSL (that websites use), and
> encrypts the traffic between the server and client. If you already have a
> certificate for your website, then you can reuse that for your SMTP server
> (if the DNS names are the same).
>
> c) <shameless plug> There's a whole chapter on securing MS SMTP server and
> MS POP3 server in the IIS6 security book that I co-wrote:
> http://www.amazon.com/exec/obidos/A...dopenstati0f-20 If you
> want to get up-to-speed on IIS6 security quickly, then this might be a
> worthwhile investment</shameless plug>
>
> Cheers
> Ken

[ Post a follow-up to this message ]