AMS Vunerability or config problem? - URGENT

[waterman34]

We were contacted earlier today to notify us that our mail server was being used to send spam mail and on inspection of the logfiles it was true, the strange thing is we don't host either the domain or the email address that is being used to send out the spam, so we have no idea how their doing it. At the moment to stop them using our SMTP I've blacklisted their ip address which is ok for now but obviously just a temp fix.

We have the following line in our logfiles showing them logging in (how I have no idea and note I've changed the ip address used to login and recipients email address)

Mon, 03 Aug 2009 00:29:50 -> 00.000.0.0 -> Success: Action=[Starting Login], Details=[LOGIN authentication.]

Then masses of the actual mails being sent out:

Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Received Recipient], Details=[12@yahoo.com]
Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Received Recipient], Details=[12@hotmail.com]
Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Received Recipient], Details=[12@yahoo.com]
Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Received Recipient], Details=[12@hotmail.com]
Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Reset Transaction States]
Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Received Recipient], Details=[12@aol.com]
Mon, 03 Aug 2009 00:29:52 -> 00.000.0.0 -> Success: Action=[Received Recipient], Details=[12@hotmail.com]

My question is HOW are they doing this and how do we stop them?

[Code Crafters]

The only way mail can be sent in this way is by use of one of your accounts username and password to log in. This means that either one of your users is maliciously sending mail or they have a virus or spyware program that is monitoring their mail client or system and intercepting their username and password and then using this to send SPAM.

From the client end, you need to run a virus scan and, very importantly, update any mail client software such as outlook to use the very latest service packs and security updates. We had a similar incident in one of our offices just after installing Microsoft Office Outlook 2007 on one of our machines; a few unauthorised emails were sent from that machine's IP (traced via the AMS SMTP logs). After updating to the latest service packs, there have been no attacks since.

From the server end, you can enable relaying IP restrictions to limit which IPs can send even with SMTP authentication if you only have a few accounts. Otherwise, you may need to find out which account login information is being used and try to take action as appropriate from there on that account. You can enable SMTP debug logging to get more information on the account being used but this will very quickly fill a lot of log files so shouldn’t be left on for very long (VERY IMPORTANT). Alternatively, you can check user account log for more clues. You can also use windows find (ctrl+F) for any searches within all log files that you need.

[waterman34]

Hi Chris

Thanks for the quick response but we have over 600 accounts so restricting ip's is not going to work. How do we enable SMTP debug, can't seem to find anything within AMS?

[Code Crafters]

In the AMS settings near the bottom there is a page called Logging. On there you can select SMTP then enable debug logging. However, you should use this very carefully as it will log every line of every SMTP conversation including entire emails and will very quickly generate a lot of log files, especially with 600 accounts. I would advise only enabling this for a short period of time; maybe a few hours at most. You can also inspect the normal SMTP logs for any users sending lots of mail and then use the sender / recipient addresses to search the account logs (Windows+F or Ctrl+F from the config folder) to try and find which accounts are responsible and take appropriate action.

You should also limit the Max Mails Sent Per Day and Max Mail Sent Per Day (KB) in the group settings for all users to prevent any one user sending too many emails or too much content of emails in a single day.

[waterman34]

I've got SMTP debugging running chris but cant see where in the logs it says what account is actually being used to authenticate?

Getting well out of hand now, their already using a different ip address and email so their swamping us here

[Code Crafters]

If you send me your smtp.ini file from your config folder and a debug log showing the attacks with details of what addresses are the SPAM ones to chris@code-crafters.com I'll have a look and see if I can get any clues to let you know where to look next.

Note: Make sure you have disabled debug logging now or you'll start to fill your hard drive with lots of log files.

[THX_1138]

As my post is a little late you may have already had your issue resolved by Chris. I'm still going to post this though as it highlights how we discovered accounts sending spam.

Basically we monitored the outmail queue and noticed that 5 addresses from one machine were peridoically sending out spam from different IP's. This is a classic example of a Zombie trojan at work. Fortunately we knew the users and after they scanned their PC, numerous malware was removed. We also got them to change their passwords as we believe the infection recorded them so that other zombie infected PC's could use the accounts.

Since then there has been no further spam sent.

We now have a system in place for dealing with suspect zombie accounts. As soon as the problem becomes apparrent we email the client to inform them that they need to clean their PC's to remove the virus. We also get them to change their email password afterwards. While we wait for that to happen we move their email account to a specially created group that only allows webmail access. This will still allow them to recieve / reply emails from which they can access through the web mail service. With the POP3 disabled it stops the flow of outgoing spam immediately. Once the client's PC is clean we then move their account back to the normal group.

[Code Crafters]

You're right that this issue is most likely caused by spyware on the client computer logging passwords for outlook etc and sending mails maliciously using these login details. A virus scan on the client computer should fix the problem. It will also help to update all the latest service patches for windows and office.