Someone has hijacked my domain name

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Antispam Software and Spam Filtering Problems with email spoofing on SBS 2003 Exchange Insider e-zine Securing your Exchange Server 2007 journaling archives Microsoft Exchange Server security dos and don'ts Troubleshooting Microsoft Exchange Server Event ID error 6009 How can I configure Exchange IMF to allow an IP address or DNS? Tool helps identify inbound Exchange Server email flow issues Configure SMTP relay restrictions in Exchange Server 2003 to stop spam Exchange email sent to a domain using SPF authentication is returned Secure Edge Transport servers using the Security Configuration Wizard Antispam Software and Spam Filtering Research Richard Luckett: Spam and Security How effective is tracking the IP address of an email hacker? Why can't I grant users permissions to an Exchange public folder? How can I configure Exchange IMF to allow an IP address or DNS? Tool helps identify inbound Exchange Server email flow issues Configure SMTP relay restrictions in Exchange Server 2003 to stop spam How to lock down an SMTP relay to prevent spam in Exchange Server 2003 Connecting an Apple iPhone to Exchange Server on Windows SBS 2003 Why does a security alert pop up when accessing Outlook Web Access? Exchange email sent to a domain using SPF authentication is returned Selectively set email permissions for Exchange groups

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com) hash buster  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) teergrube  (SearchExchange.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

It looks as if someone may have discovered a username and password of one of your users and is relaying using their credentials (SMTP AUTH attack). If you do not enforce strong passwords in your domain, this could have easily been accomplished with a dictionary attack of common usernames and passwords. To prevent this, you need to remove Basic and Integrated Windows Authentication from you Exchange 2003 SMTP virtual servers that accept inbound communications from the Internet.

You must leave anonymous authentication on to allow SMTP to function. That is OK though, as Anonymous cannot relay on a closed relay server, which Exchange Server 2003 is by default.

Also make sure that a strong password policy is implemented ASAP.

What are the steps for this problem under a Win2k server and Exchange 2000?

—Peter P.

******************************************

The steps are the same for Windows 2000/Exchange 2000 as they are for Windows 2003/Exchange 2003. If you are in fact being attacked follow these steps:

Find and fix the compromised account:

1. Open Exchange System Manager and expand Organization -> Administrative Groups -> AdminGroupName -> and Servers containers.
2. Right-click Server Name -> Properties, and click the Diagnostics Logging tab.
3. Select MSExchangeTransport and set the logging level to maximum for all of the categories.
4. Monitor the Application event log for event 1708; look for an authentication from an IP address/server name that is not in your organization.
5. Enable Successful/Failure Account Login Attempts in the "Default Domain Controllers" GPO of your domain. Monitor the Security log for 680 events that occur as the same time as the suspect external mail server relays messages.
6. Change the password for the compromised account. (Keep in mind that if one account has been compromised, it is likely that numerous accounts have been. The best thing to do might be to change all passwords.)

Blocking the spammer:

1. Open the Exchange System Manager and go to Organization -> Administrative Groups -> Organizational Unit -> Servers -> ServerName -> Protocols -> SMTP.
2. Right-click the Default SMTP Virtual Server and select Properties.
3. Open the Access tab and click Authentication.
4. Leave Anonymous access enabled, clear the Basic authentication and Integrated Windows Authentication checkboxes.

—Richard Luckett, expert

******************************************

I am not sure enforcing stong passwords alone may solve the problem. I am also experiencing the same problem -- in my case I can only get NDRs for e-mails that would have bounced. On opening the NDR, I discover that the e-mails will be directing the recepients to dubious Web sites. On doing IP queries on the sites, I have discovered the abusers are using IP addresses allocated to the Far East. I reported this, but the next thing you know, they've changed the IP address. How they manage to register my domain using a different IP address ... it surprises me.

—Michael M.