SMTP Auth Relay Attacks (exchange 2003)

Rea:Per · 20th June 2012, 4:05 PM

Hello everyone.

I have an issue. Well it’s not yet an issue but I’m sure it’s going to be sooner or later.
I have been alerted to the fact someone is trying to hack our exchange server using what seems to be an Auth Relay style attack.

I am seeing around 5-6 authentication attempts per minute in the security event log, eventually resulting in an Account Lockout.
The username is a valid user on our domain and I’m assuming they have gotten that by trial and error as we have "don’t accept mail for nonexistent users" turned on.

I have extended logging turned on for SMTP however I believe this will not keep a log of non-authenticated activity. as it shows all of our mail activity but there are no entries at the times i find in the security event log for the Failure audit entries.

Is there a way to log even the unauthenticated activity?

Rea:Per · 20th June 2012, 4:24 PM

I also have tar pitting turned on and even upped the delay from the standard 5sec to 10 sec.

Rea:Per · 20th June 2012, 4:28 PM

its currently set as follows.

Relay Restrictions
Only allow the list below

but its also selected as "Allow all computers which successfully authenticate to relay, regardless of the list above"

i dont really want to turn this off unless i have to as im not sure if its going to effect those users who are setup using RPC over HTTP to access exchange remotly.

is there any way to find the source IP of the attacks so i can block it. yes i know they will be using dynamic IP's but maybe that's enough to make them move onto someone else.

scrantic · 20th June 2012, 7:00 PM

Quote:

Originally Posted by Rea:Per

its currently set as follows.

Relay Restrictions
Only allow the list below

but its also selected as "Allow all computers which successfully authenticate to relay, regardless of the list above"

i dont really want to turn this off unless i have to as im not sure if its going to effect those users who are setup using RPC over HTTP to access exchange remotly.

is there any way to find the source IP of the attacks so i can block it. yes i know they will be using dynamic IP's but maybe that's enough to make them move onto someone else.

RPC over HTTP doesn't require the endusers to be able to relay via the SMTP server.

As for the IP Address http://www.msexchange.org/tutorials/...P_Service.html

rainwulf · 20th June 2012, 10:31 PM

In your exchange control tree, under exchange, global settings, message delivery:
right click "message delivery"
Make sure "recipient filtering" -filter recipients who are not in the directory is ticked.

Rea:Per · 21st June 2012, 8:57 AM

@rainwulf thanks i already have that enabled.

@scrantic i have that set already but the authentication attempts dont show up in that log.

See below. the security log shows attempts @ 20/06/12 10:28PM at 59,40,37,26,15,03 seconds.

Click to view full size!

however the SMTP log shows nothing at those exact times.

Click to view full size!

scrantic · 21st June 2012, 9:11 AM

Unless you truly need "Allow all computers which successfully authenticate to relay, regardless of the list above" then turn it off. RPC over http doesn't use it so unless you have some internal software/MFD Printers configured to use this method or something strange set-up then you shouldn't need it.

Also look at getting an external spam filtering service like http://mailguard.com.au/. Then you don't need to deal with these kinds of situations. Lock your server down to receive email only from their IP's and you're sweet.

rainwulf · 22nd June 2012, 11:10 AM

Quote:

Originally Posted by scrantic

Unless you truly need "Allow all computers which successfully authenticate to relay, regardless of the list above" then turn it off. RPC over http doesn't use it so unless you have some internal software/MFD Printers configured to use this method or something strange set-up then you shouldn't need it.

Also look at getting an external spam filtering service like http://mailguard.com.au/. Then you don't need to deal with these kinds of situations. Lock your server down to receive email only from their IP's and you're sweet.

This is pretty well the best answer.
Have your external firewall block any incoming email traffic from anyone other then your smart host.

The only other thing I can suggest is have all external email users connect via VPN, that will stop the account password spamming.

20th June 2012, 4:05 PM	#1
Rea:Per Member Join Date: Mar 2011 Location: Sunshine Coast Posts: 110	SMTP Auth Relay Attacks (exchange 2003) Hello everyone. I have an issue. Well it’s not yet an issue but I’m sure it’s going to be sooner or later. I have been alerted to the fact someone is trying to hack our exchange server using what seems to be an Auth Relay style attack. I am seeing around 5-6 authentication attempts per minute in the security event log, eventually resulting in an Account Lockout. The username is a valid user on our domain and I’m assuming they have gotten that by trial and error as we have "don’t accept mail for nonexistent users" turned on. I have extended logging turned on for SMTP however I believe this will not keep a log of non-authenticated activity. as it shows all of our mail activity but there are no entries at the times i find in the security event log for the Failure audit entries. Is there a way to log even the unauthenticated activity? __________________ 2700K @ 4.5 - 1.275v \| Maximus IV Extreme-Z \| 16gb RipjawX DDR3 1866mhz \| Sapphire 7970 \| Eyefinity @ 57601080 \| 2x Vertex 4 128gb RAID 0 \| 3x WD Black 1TB Raid 0 \| Custom Water Cooled \| Thermaltake 1200w PSU \| Thermaltake Tai-Chi Case No liability accepted or warranty given for advice OCAU Trades: $900+ Last edited by Rea:Per; 20th June 2012 at 4:22 PM.*

20th June 2012, 4:24 PM	#2
Rea:Per Member Join Date: Mar 2011 Location: Sunshine Coast Posts: 110	I also have tar pitting turned on and even upped the delay from the standard 5sec to 10 sec. __________________ 2700K @ 4.5 - 1.275v \| Maximus IV Extreme-Z \| 16gb RipjawX DDR3 1866mhz \| Sapphire 7970 \| Eyefinity @ 5760*1080 \| 2x Vertex 4 128gb RAID 0 \| 3x WD Black 1TB Raid 0 \| Custom Water Cooled \| Thermaltake 1200w PSU \| Thermaltake Tai-Chi Case No liability accepted or warranty given for advice OCAU Trades: $900+

20th June 2012, 4:28 PM	#3
Rea:Per Member Join Date: Mar 2011 Location: Sunshine Coast Posts: 110	its currently set as follows. Relay Restrictions Only allow the list below but its also selected as "Allow all computers which successfully authenticate to relay, regardless of the list above" i dont really want to turn this off unless i have to as im not sure if its going to effect those users who are setup using RPC over HTTP to access exchange remotly. is there any way to find the source IP of the attacks so i can block it. yes i know they will be using dynamic IP's but maybe that's enough to make them move onto someone else. __________________ 2700K @ 4.5 - 1.275v \| Maximus IV Extreme-Z \| 16gb RipjawX DDR3 1866mhz \| Sapphire 7970 \| Eyefinity @ 5760*1080 \| 2x Vertex 4 128gb RAID 0 \| 3x WD Black 1TB Raid 0 \| Custom Water Cooled \| Thermaltake 1200w PSU \| Thermaltake Tai-Chi Case No liability accepted or warranty given for advice OCAU Trades: $900+

20th June 2012, 10:31 PM	#5
rainwulf Member Join Date: Jan 2002 Location: bris.qld.aus Posts: 2,663	In your exchange control tree, under exchange, global settings, message delivery: right click "message delivery" Make sure "recipient filtering" -filter recipients who are not in the directory is ticked. __________________ derp

21st June 2012, 8:57 AM	#6
Rea:Per Member Join Date: Mar 2011 Location: Sunshine Coast Posts: 110	@rainwulf thanks i already have that enabled. @scrantic i have that set already but the authentication attempts dont show up in that log. See below. the security log shows attempts @ 20/06/12 10:28PM at 59,40,37,26,15,03 seconds. Click to view full size! however the SMTP log shows nothing at those exact times. Click to view full size! __________________ 2700K @ 4.5 - 1.275v \| Maximus IV Extreme-Z \| 16gb RipjawX DDR3 1866mhz \| Sapphire 7970 \| Eyefinity @ 5760*1080 \| 2x Vertex 4 128gb RAID 0 \| 3x WD Black 1TB Raid 0 \| Custom Water Cooled \| Thermaltake 1200w PSU \| Thermaltake Tai-Chi Case No liability accepted or warranty given for advice OCAU Trades: $900+

21st June 2012, 9:11 AM	#7
scrantic Member Join Date: Apr 2002 Location: Melbourne Posts: 1,024	Unless you truly need "Allow all computers which successfully authenticate to relay, regardless of the list above" then turn it off. RPC over http doesn't use it so unless you have some internal software/MFD Printers configured to use this method or something strange set-up then you shouldn't need it. Also look at getting an external spam filtering service like http://mailguard.com.au/. Then you don't need to deal with these kinds of situations. Lock your server down to receive email only from their IP's and you're sweet. __________________ \| Intel Core i7-860 \| Gigabyte GA-P55A-UD3P \| \| Corsair X128 Extreme SSD \| 8GB Corsair DDR3 1333 \| \| MSI GTX275 896MB\| Antec P183 \| Antec 750W PSU \| Storage Synology DS1511+ 4 x Hitachi 3TB Deskstar 5K3000 Last edited by scrantic; 21st June 2012 at 9:14 AM.