Further to my earlier post, Neil G has pointed me
correctly to an SMTP AUTH attack. I have used the logs of the ORF tool to
pinpoint which accounts have been compromised.
Strangely the spammers are trying to work out why, even
if they authenticate, they can't relay, so there is a lot of traffic to watch
and learn from. A large number of their connections are being blocked
by the IP blacklists I have selected. I had originally blocked 2 Class A IP
ranges at our router after watching the traffic and finding that they were
allocated to a provider in China. But I am not 100% sure that IP addresses are
not being spoofed as they seem to have a huge range of Class A and B addresses
available to them and I was really chasing my tail trying to block them at that
level.
So now
I have a new password generator and will start training the mind to work with 12
or more character passwords.
Hope
this is of assistance to others.
Geoff
Williams
Hi
All
I have exactly the
same open-relay problem, including the sending servers and addresses, and
have been struggling to diagnose for a few weeks.
I had a hunch that
the hack may involve the SystemMailbox account (which of course is
disabled), but this was based on checking security logs and seeing who was
logged in at the same time as the spam was dumped into the
queue.
I have got around it
for the moment (I hope) by loading the ORF relay and spam tool but I would
really like to know how this hack is being perpetrated as I have a whole stack
of other Exchange servers to look after and I really don't want this to get out
of control...
So if anyone has
made any progress I would really appreciated you sharing your
experience.
Thanks
______________
Geoffrey Williams
KAT International
T: 02 9904 3137
F: 02 9904 0232
M: 0417 281 905
This email is confidential and intended for the recipient only. If you have
received it in error please delete it immediately.