Further to my earlier post, Neil G has pointed me correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to pinpoint which accounts have been compromised.
 
Strangely the spammers are trying to work out why, even if they authenticate, they can't relay, so there is a lot of traffic to watch and learn from. A large number of their connections are being blocked by the IP blacklists I have selected. I had originally blocked 2 Class A IP ranges at our router after watching the traffic and finding that they were allocated to a provider in China. But I am not 100% sure that IP addresses are not being spoofed as they seem to have a huge range of Class A and B addresses available to them and I was really chasing my tail trying to block them at that level.
 
So now I have a new password generator and will start training the mind to work with 12 or more character passwords.
 
Hope this is of assistance to others.
 
Geoff Williams
 
-----Original Message-----
From: Geoff Williams
Sent: Monday, 27 October 2003 11:01 PM
To: nznog@list.waikato.ac.nz
Subject: [nznog] New and unacknowledged Exchange / Win2k SMTP vulnerability?

Hi All
 
I have exactly the same open-relay problem, including the sending servers and addresses, and have been struggling to diagnose for a few weeks.
 
I had a hunch that the hack may involve the SystemMailbox account (which of course is disabled), but this was based on checking security logs and seeing who was logged in at the same time as the spam was dumped into the queue.
 
I have got around it for the moment (I hope) by loading the ORF relay and spam tool but I would really like to know how this hack is being perpetrated as I have a whole stack of other Exchange servers to look after and I really don't want this to get out of control...
 
So if anyone has made any progress I would really appreciated you sharing your experience.
 
Thanks
______________
Geoffrey Williams
KAT International
T: 02 9904 3137
F: 02 9904 0232
M: 0417 281 905
 


This email is confidential and intended for the recipient only. If you have received it in error please delete it immediately.