Exchange 2003 and Authenticated User Relay Spam
Exchange 2003 is a good target for spammers since it is very widely used (still) and has a history of installations with less than ideal security.
In addition to the typical email-turned-spam server scenarios (open relay, security holes, NDRs), authenticated relays are next on the list. This happens when the security credentials of a user are compromised on his or her computer or phone and the credentials are then sent back “home” (to the bot, person, wherever).
What happens next? A bunch of drone authenticated users start sending spam. You may find out after your ISP sends you an email, or your users complain their email isn’t getting through because you’ve been placed on a spam blacklist.
The “users” listed below are computer names, not the name of the authenticated user, taken from an actual compromised email server.
Enabling Diagnostic Logging
Exchange and Windows do not log authenticated sessions by default. In order to see what user has been compromised, you need to modify the logging in Exchange.
- Open the “Exchange System Manager“.
- Expand the “Servers” folder.
- Right-click on the server name and select “Properties“.
- Go to the “Diagnostic Logging” tab and under Services select “MSExchange Transport“.
- Under Categories select “Authentication” and set the logging level to “Maximum”. Click OK.
- Restart the MS Exchange Transport service.
Checking Logs for Authenticated Users
- Open the Windows Event Viewer (in Administrative Tools).
- Select the Application log.
- Look for Event 1708. This is the MS Exchange Transport/SMTP Authentication Event.
- In each event’s properties, you’ll notice the client (computer name) and username used are logged. In the case of the above ‘gibberish’ names, you’ll see something along the lines of: SMTP Authentication was performed successfully with the client “gtsrzam”. The authentication method was “LOGIN” and the username was “domain\Username”.
- Once you know the username used for sending out spam, change the user’s password!
How to Prevent Compromised User Attacks in the Future
- Change your password policy by introducing complexity and password age requirements. This is useful is your credentials were compromised because of weak security. See the following post for instructions: http://www.iishacks.com/2007/09/24/windows-server-2003-password-policy-changes/ (for Windows Server 2003, but similar steps for 2008/2012).
- Enable outgoing spam detection on your server. If you use a spam filter on your server (and you should), many have the ability to filter outgoing email and to notify you when your server starts sending out spam-like content.
- Disable relaying for authenticated users by white-listing sending IP addresses. I would only recommend this if you only send email from within your organization’s network. If you have users outside the network with non-vpn enabled phones, tablets and computers sending email, white-listing will not be effective.
- Ensure your internal and external computers, phones and tablets are protected from viruses and malware. Chances are the credentials were compromised by a piece of malware on the user’s work computer or personal device. When purchasing site licenses for anti-virus software, many vendors will include free home licenses for users…take advantage of that and make sure your employees know about it.