Q

Someone has hijacked my domain name

I have Exchange 2003 and GroupShield to control spam and viruses. My Exchange server is not open for relay, but my e-mail server is routing a lot of e-mails with my domain name using bogus user accounts. I've tried everything from routing only e-mails from users inside Active Directory, but that didn't help. I still see thousands of items scanned by GroupShield. Can you please give me some advice on how to control this problem? Any help will be really appreciated. Thanks.
It looks as if someone may have discovered a username and password of one of your users and is relaying using their credentials (SMTP AUTH attack). If you do not enforce strong passwords in your domain, this could have easily been accomplished with a dictionary attack of common usernames and passwords. To prevent this, you need to remove Basic and Integrated Windows Authentication from you Exchange 2003 SMTP virtual servers that accept inbound communications from the Internet.

You must leave anonymous authentication on to allow SMTP to function. That is OK though, as Anonymous cannot relay on a closed relay server, which Exchange Server 2003 is by default.

Also make sure that a strong password policy is implemented ASAP.


MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A:

What are the steps for this problem under a Win2k server and Exchange 2000?

—Peter P.

******************************************

The steps are the same for Windows 2000/Exchange 2000 as they are for Windows 2003/Exchange 2003. If you are in fact being attacked follow these steps:

Find and fix the compromised account:

  1. Open Exchange System Manager and expand Organization -> Administrative Groups -> AdminGroupName -> and Servers containers.
  2. Right-click Server Name -> Properties, and click the Diagnostics Logging tab.
  3. Select MSExchangeTransport and set the logging level to maximum for all of the categories.
  4. Monitor the Application event log for event 1708; look for an authentication from an IP address/server name that is not in your organization.
  5. Enable Successful/Failure Account Login Attempts in the "Default Domain Controllers" GPO of your domain. Monitor the Security log for 680 events that occur as the same time as the suspect external mail server relays messages.
  6. Change the password for the compromised account. (Keep in mind that if one account has been compromised, it is likely that numerous accounts have been. The best thing to do might be to change all passwords.)

Blocking the spammer:

  1. Open the Exchange System Manager and go to Organization -> Administrative Groups -> Organizational Unit -> Servers -> ServerName -> Protocols -> SMTP.
  2. Right-click the Default SMTP Virtual Server and select Properties.
  3. Open the Access tab and click Authentication.
  4. Leave Anonymous access enabled, clear the Basic authentication and Integrated Windows Authentication checkboxes.

—Richard Luckett, expert

******************************************

I am not sure enforcing stong passwords alone may solve the problem. I am also experiencing the same problem -- in my case I can only get NDRs for e-mails that would have bounced. On opening the NDR, I discover that the e-mails will be directing the recepients to dubious Web sites. On doing IP queries on the sites, I have discovered the abusers are using IP addresses allocated to the Far East. I reported this, but the next thing you know, they've changed the IP address. How they manage to register my domain using a different IP address ... it surprises me.

—Michael M.


Do you have comments on this Ask the Expert question and response? Let us know.
This was first published in March 2005

Dig deeper on Spam and virus protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchWindowsServer

SearchEnterpriseDesktop

SearchCloudComputing

SearchSQLServer

Close