Company Email Hijacked

[ShortCut]

Since my main focus has always been hardware hacks and OS's this problem is a little outside my realm. Two days ago my boss complained that he had 1400 returned emails in his inbox. It seems that our email server may have been breached and somebody used it to send thousands of Chinese spam emails. Now our company has been put on the email blacklist and we are fighting to get this runaway train to stop.

The morning we discovered the issue, we immediately killed the sales@sybatech.com email address in Microsoft Exchange.

Any ideas?

Here's one of the headers (I also attached a saved copy of the email):

Received: from mail.sybatech.com (unknown [173.165.112.213])

by mx16 (Coremail) with SMTP id QsCowECJHVc7AgRQjXUuBg--.993S2;

Mon, 16 Jul 2012 19:59:56 +0800 (CST)

Received: from localhost (localhost.localdomain [127.0.0.1])

by mail.sybatech.com (Postfix) with ESMTP

id 994A82A8100; Mon, 16 Jul 2012 06:59:52 -0500 (CDT)

Received: from mail.sybatech.com ([127.0.0.1])

by localhost (emailserver [127.0.0.1]) (amavisd-new, port 10024) with LMTP

id 07050-01-5; Mon, 16 Jul 2012 06:59:33 -0500 (CDT)

Received: from hvwkns (unknown [42.49.128.155])

by mail.sybatech.com (Postfix) with ESMTP

id 0C08C2A80FD; Mon, 16 Jul 2012 06:59:22 -0500 (CDT)

Message-ID: <20120716200750226845@sybatech.com>

From: =?utf-8?B?5r2Y5a6B5aiF?= <sales@sybatech.com>

To: <gusuhang@163.com>

Subject: =?utf-8?B?5pyJ5pWI6LCDeuWyl+iwg3XolqrlkozkvIFx5Lia5bi46KeB5YqzZuWKqOS6iWrorq4=?=

=?utf-8?B?5aSE55CG5a+5c+etlu+8gQ==?=

Date: Mon, 16 Jul 2012 20:07:45 +0800

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0E37_01A48561.19A8AAF0"

X-mailer: Thfifmdkl 2

X-Virus-Scanned: by ClamAV 0.83

X-CM-TRANSID: QsCowECJHVc7AgRQjXUuBg--.993S2

X-Coremail-Antispam: 1Uf129KBjDUn29KB7ZKAUJUUUUU529EdanIXcx71UUUUU7v73

VFW2AGmfu7bjvjm3AaLaJ3UbIYCTnIWIevJa73UjIFyTuYvjxUVk9NUUUUU

Edited July 17, 2012 by Shortcut

[digip]

First off 42.49.128.155 is the chinese address.

IP Information for 42.49.128.155 IP Location: China Changsha China Unicom Hunan Province Network

ASN: AS4837

IP Address: 42.49.128.155

42.0.0.0/8

Block their subnet for starters so they can't reach you, but doubt that will stop the attacks, they could just come back via proxy or even backdoor if they rooted any of the servers. If they already got in to send the emails,most likely a breach somewhere has taken place, and full investigation of your entire network needs to be done. Possibly even a full blown penetration test.

If mail.sybatech.com is your real system, make sure no one can abuse sendmail as well. Most attacks are done like this becuase no one bothers to lock down sendmail. I know you mentioned using Exchange, but if its open on the web side, people could be abusing it with automated spam bots.

If this is also your site: 173.165.112.213 look into Sugar CRM. I think theres some vulns for it, they could have pivoted off it to the inner network.

Edited July 17, 2012 by digip

[Infiltrator]

There's a possibility your mail server could be infected, I'd also look into enabling SPF in your mail server to prevent further spamming.

http://en.wikipedia.org/wiki/Sender_Policy_Framework

[Mr-Protocol]

This may be an overlooked thing. But make sure open-relay is disabled on your mail server.

[Infiltrator]

This may be an overlooked thing. But make sure open-relay is disabled on your mail server.

Good point, but if the mail server has indeed been compromised, the attackers could have enabled "open relay".

Edited July 18, 2012 by Infiltrator

[ShortCut]

Appreciate all the input and thoughts. I understand the basics of networking, but right now I'm in the middle of mastering (if anyone actually can) SQL Server and have little time for much else.

Spitz