email relay attack, need help 1

[ryan010101]

Today I notice our server is running slow. Didn't really think much about it but decided to do a reboot. After the reboot our ScanMail monitor starts up first and I notice a ton of emails going through it. I watch it a bit and it's doing like 1000 emails a minute. So now I'm trying to figure out exactly what is causing it. The only way I can stop it is to stop the SMTP Virtual Server, this isn't really a solution as it means no emails at all can be sent.

I went into the SMTP Virtual Server properties and made it so anon access is disabled. I also made sure connection control and relay restrictions were set. Still as soon as I start up the SMTP the emails just start going again, tons of them. In our SonicWall log there is a bunch of "Probable TCP FIN scan" entries from the same IP address going to our external IP address.

Any suggestions on how to kill this thing?

thanks
Ryan

 

[zoeythecat]

Its possible you could be getting spammed. Make sure you are not being used as a spam relay. Turn on SMTP logging and monitor your events. I'm not familar at all with your Sonicwall or Scanmail. You may need to call these vendors just to see what they have in their knowledgebase regarding this. Also, check your BADMAIL folder. I'm sure there must be tons of badmail in there. You can open the .bad files and possibly determine if these are spam emails coming through. It may be possible a user account in your environment got compromised and is being used as a spam relay (This happened to me). I had a problem with Spam mail recently and Microsoft troubleshooted with me and had me troubleshoot the BADMAIL folder and monitor SMTP events. In the interim I would try:

(1) Stop the SMTP Service.
(2) Rename the Badmail folder in c:\exchsrvr\mailroot\vsi 1\ to BadMailOld
(3) Create new folder BadMail
(4) Start the SMTP service
(5) Turn on SMTP logging from the SMTP Virtual Server properties.
(6) Monitor Events in Event viewer for a few days and see if you notice anything suspicious.
(7) Check mail in the BadMailOld folder and see if you notice anything suspicious.

* Note that you may need to clear the BadMail queue daily or once a week (by doing the steps above. You can also create a bat file to do this process)

Good luck.

Zoey

 

[ryan010101]

Thanks for the info. I did turn on the logging and someone was logging in

"SMTP Authentication was performed successfully with client "terry"."

I disabled the account they were using. After they logged in this was the next event:

"The SMTP client "211.158.50.245" authenticated as user "xxxxxxxx\server" attempted to send as "XXXXX@XXX.COM". Access was denied because the sender's SMTP address does not exist. " (the "XXX"s actually had valid data).

So it appears that I have stopped it right?
So now internal emails are working but I can't send or receive external emails.

There are a TON of files in the BADMAIL folder. When I try to open it, Windows Explorer just hangs. Any suggestions on how to get rid of these files?

thanks for the help
Ryan

 

[zoeythecat]

Don't open the BadMail folder because as you noted Explorer will just hang. You need to follow the steps I noted above.

(1) Stop the SMTP Service
(2) Rename the BadMail folder to BadMailOld
(3) Create a new BadMail folder
(4) Start the SMTP service

*If the BadMailOld folder is huge you may want to purge this. When I had problems in my environment the badmailold folder was over 20GIG. I bet your badmail directory is just as large so that is why your explorer is hanging. So you are better of perhaps doing the delete from a Dos Prompt. To verify how large it is do this from the Dos Prompt and not from Explorer by doing this from the DOS prompt
cd c:\exchsrvr\mailroot\vsi 1
cd badmailold
dir

To delete from the DOS prompt make sure you are in the badmailold folder and simply do a del *.*

 

[jdurrant]

Hey Zoey,

What is the code used for the batch file?

Thanks

 

[zoeythecat]

This is what my batch file looks like.
______________________________________________________
net stop smtpsvc
cd "c:\exchsrvr\mailroot\vsi 1"
ren badmail badmailold
cd "c:\exchsrvr\mailroot\vsi 1\badmailold"
del *.*
cd "c:\exchsrvr\mailroot\vsi 1"
rmdir badmailold
md BadMail
net start smtpsvc
_________________________________________________________

 

[ftoddt]

zoeythecat,
When you did the delete of badmail folder, how long did it take. I booted to safemode with dos prompt and tried to delete the whole folder. After an hour it still did not finish. So is an hour too short or was it probably hanging. Also was there something bad in the badmail that you wanted to get rid of.
Thanks,
Todd

 

[zoeythecat]

Todd,

Depending on how large your badmail folder became it could take awhile to delete. If your badmail folder grew to several gig (originally my badmail folder grew to about 20gig and it took me awhile to purge. If you followed the steps I listed from above you should have no problems. Not sure what you mean by "was there something bad in the badmail that you wanted to get rid of". You need to dump whatever is in there.

Hope I answered your questions.

Zoey

 

[ftoddt]

I believe I understand that the badmail folder fills up and will cause problems if not relieved of its burden. I was just curious if you were infering that there could be a bad virus or program in the badmail folder that was causing you some problems.
I tried for over an hour to delete my badmail folder and never did get it done. I am sure that it may be as big as yours so I was curious as to how long I should exspect and that maybe I was being too impatient. How long did yours take?
todd

 

[zoeythecat]

Todd,

First of all you should verify how big your badmail folder is (from a dos prompt doing the dir command from the \exchsrvr\mailroot\vsi 1\badmail directory). It is hard to say how long it would take. As I mentioned I had several gig filled up in the badmail queue. It took a few hours. The very first thing you should do is rename the badmail folder to badmailold. I would take these steps first:

(1) Stop the SMTP Service
(2) rename the badmail folder to badmailold
(3) Create new BadMail folder
(4) Start the SMTP Service
(5) Go to a dos prompt, change directory to
\exchsrvr\mailroot\vsi 1\badmailold
and do the command >del *.*

 

[zoeythecat]

Todd,

Also, if you follow the 5 steps I listed you do not need to be in safe mode to do this. Boot your server up in Normal Mode then just do the 5 steps I listed. Renaming the badmail queue takes a second to do. This will be the least time consuming way of keeping your incoming/outgoing mail flowing. From what I am gathering you are trying to purge the badmail queue but if this queue is huge you need to rename it first, otherwise, yes it will take forever to purge.

Zoey