ShortCut Posted July 17, 2012 Share Posted July 17, 2012 (edited) Since my main focus has always been hardware hacks and OS's this problem is a little outside my realm. Two days ago my boss complained that he had 1400 returned emails in his inbox. It seems that our email server may have been breached and somebody used it to send thousands of Chinese spam emails. Now our company has been put on the email blacklist and we are fighting to get this runaway train to stop. The morning we discovered the issue, we immediately killed the sales@sybatech.com email address in Microsoft Exchange. Any ideas? Here's one of the headers (I also attached a saved copy of the email): Received: from mail.sybatech.com (unknown [173.165.112.213]) by mx16 (Coremail) with SMTP id QsCowECJHVc7AgRQjXUuBg--.993S2; Mon, 16 Jul 2012 19:59:56 +0800 (CST) Received: from localhost (localhost.localdomain [127.0.0.1]) by mail.sybatech.com (Postfix) with ESMTP id 994A82A8100; Mon, 16 Jul 2012 06:59:52 -0500 (CDT) Received: from mail.sybatech.com ([127.0.0.1]) by localhost (emailserver [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 07050-01-5; Mon, 16 Jul 2012 06:59:33 -0500 (CDT) Received: from hvwkns (unknown [42.49.128.155]) by mail.sybatech.com (Postfix) with ESMTP id 0C08C2A80FD; Mon, 16 Jul 2012 06:59:22 -0500 (CDT) Message-ID: <20120716200750226845@sybatech.com> From: =?utf-8?B?5r2Y5a6B5aiF?= <sales@sybatech.com> To: <gusuhang@163.com> Subject: =?utf-8?B?5pyJ5pWI6LCDeuWyl+iwg3XolqrlkozkvIFx5Lia5bi46KeB5YqzZuWKqOS6iWrorq4=?= =?utf-8?B?5aSE55CG5a+5c+etlu+8gQ==?= Date: Mon, 16 Jul 2012 20:07:45 +0800 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0E37_01A48561.19A8AAF0" X-mailer: Thfifmdkl 2 X-Virus-Scanned: by ClamAV 0.83 X-CM-TRANSID: QsCowECJHVc7AgRQjXUuBg--.993S2 X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73 VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUVk9NUUUUU Edited July 17, 2012 by Shortcut Quote Link to comment Share on other sites More sharing options...
digip Posted July 17, 2012 Share Posted July 17, 2012 (edited) First off 42.49.128.155 is the chinese address. IP Information for 42.49.128.155 IP Location: China Changsha China Unicom Hunan Province Network ASN: AS4837 IP Address: 42.49.128.155 42.0.0.0/8 Block their subnet for starters so they can't reach you, but doubt that will stop the attacks, they could just come back via proxy or even backdoor if they rooted any of the servers. If they already got in to send the emails,most likely a breach somewhere has taken place, and full investigation of your entire network needs to be done. Possibly even a full blown penetration test. If mail.sybatech.com is your real system, make sure no one can abuse sendmail as well. Most attacks are done like this becuase no one bothers to lock down sendmail. I know you mentioned using Exchange, but if its open on the web side, people could be abusing it with automated spam bots. If this is also your site: 173.165.112.213 look into Sugar CRM. I think theres some vulns for it, they could have pivoted off it to the inner network. Edited July 17, 2012 by digip Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 18, 2012 Share Posted July 18, 2012 There's a possibility your mail server could be infected, I'd also look into enabling SPF in your mail server to prevent further spamming. http://en.wikipedia.org/wiki/Sender_Policy_Framework Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted July 18, 2012 Share Posted July 18, 2012 This may be an overlooked thing. But make sure open-relay is disabled on your mail server. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted July 18, 2012 Share Posted July 18, 2012 (edited) This may be an overlooked thing. But make sure open-relay is disabled on your mail server. Good point, but if the mail server has indeed been compromised, the attackers could have enabled "open relay". Edited July 18, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
ShortCut Posted July 18, 2012 Author Share Posted July 18, 2012 Appreciate all the input and thoughts. I understand the basics of networking, but right now I'm in the middle of mastering (if anyone actually can) SQL Server and have little time for much else. Spitz Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.