# Solved: Problems with backscatter



## srhoades (May 15, 2003)

I have a client that is all of a sudden getting deluged with outgoing [email protected] NDR emails. I have verified the server is not an open relay. I have GFI mail essentials installed but it is processing the emails as legitimate. I thought one of the machines may be infected, however I checked them all and I am almost 100% sure they turn off their machines at the end of the day and the emails continue. Oddly enough, if I stop SMTP, delete the queue, and then start SMTP the emails will stop, sometimes for as long as 12 hours. At this point I don't know what to do.


----------



## Rockn (Jul 29, 2001)

Are the emails originating from the clients server and is there a postmaster account?


----------



## srhoades (May 15, 2003)

I don't believe the emails are originating from the clients server. The header says
Received: from User ([INSERT NOT CLIENTS IP]) by CLIENTSDOMAIN.com with Microsoft SMTPSVC(6.0.3790.4675);

It also show a message id of
[email protected]

And User is the actual text, and no there is no user user on the domain.

And there is no actual postmaster account, beside the built in alias.

On second inspection, GFI is showing the actual SPAM going outbound from where the NDR's are coming from. There were in fact 2 users logged on last night. I checked both of their computers for malware, again, and changed both of their passwords (I know one had a very weak password) and shut down their machines. For now the emails have stopped.

The server was also a bit behind in updates so perhaps it was an exploit.


----------



## Rockn (Jul 29, 2001)

Someone is just spoofing a non existent user on that domain. You can block that address in Exchange without generating an NDR, it will just drop the email.


----------



## srhoades (May 15, 2003)

How are they able to do that without exchange credentials? The SPAM messages are showing up in the outgoing queue, followed by the NDR's.


----------



## Rockn (Jul 29, 2001)

I thought they were originating from outside of the domain? Apparently someone is either relaying or you have a trojan on the loose somewhere.


----------



## srhoades (May 15, 2003)

I thought they were at first as well, because all I saw was thousands of postmaster NDRS in the queue, but mixed among them are the actual outgoing SPAM messages themselves.


----------



## srhoades (May 15, 2003)

And if it is a trojan it is hiding very well. I've scanned with both malwarebytes and ComboFix.


----------



## Rockn (Jul 29, 2001)

I would think the sever has the trojan. Are these messages actually routing through GFI before the Exchange server gets them?


----------



## srhoades (May 15, 2003)

I believe so, but am not 100% sure.


----------



## srhoades (May 15, 2003)

I don't think it is the server just because the emails are not constant. Since I shut down the two computers that were left on the emails have stopped. The SPAM messages claim they are being created in outlook express. One of the computers I shut down had an old outlook express account configured for POP access to the server, but that is old as it is no longer configured for POP. That computer is also extremely behind on Windows updates, as in it only has SP2 but I still don't find anything when scanning it for trojans.


----------



## srhoades (May 15, 2003)

I'm also wondering if someone had cracked one of the weak passwords and was somehow using OWA to send the SPAM through.


----------



## Rockn (Jul 29, 2001)

Scanning with malware scanners generally will not catch a trojan or an SMTP server running on the workstation. You could probably run something like Wireshark on the server to see where exactly they are coming from, but I think you have already sorted out where they are coming from.


----------



## srhoades (May 15, 2003)

I use malwarebytes all the time to find trojans. What would you recommend?

I have managed to turn on those two workstations that were on previously and there has been no more mail. I am doubtful it was an actual infection but the one user had a very weak 4 digit password that started with 1 so I am thinking her credentials were being used to send mail through the server.


----------



## Rockn (Jul 29, 2001)

A good piece of anti-virus software would be a start. I have always had poor results with MalwareBytes for getting rid of anything and usually it is a bandaid fix that only lasts a short time. It would have to be some kind of infection if that users OE is sending emails without his/her intervention. I would still turn them on and monitor what is coming in to the Exchange server with Netmon or Wireshark.


----------



## srhoades (May 15, 2003)

The machines have been on for several hours now. I have wireshark on the server, and if the emails come back I will go from there. Both machines have Microsoft Security Essentials and it finds nothing with a basic scan.


----------



## srhoades (May 15, 2003)

I'll mark this solved for now. Thanks for your help.


----------



## srhoades (May 15, 2003)

The problem has returned. I have attached a GFI screenshot and a wireshark screenshot. The emails are somehow being authenticated through the server.


----------



## srhoades (May 15, 2003)

I have checked again and it is not an open relay and every workstation is off, so it is definitely coming from the outside.


----------



## srhoades (May 15, 2003)

Further follow up. Pouring through the wireshark logs and I am seeing auth logins. Does that still mean there is a compromised password?


----------



## Rockn (Jul 29, 2001)

Where is that 82.128.46.11 address coming from? Is that one of your addresses?


----------



## srhoades (May 15, 2003)

No it is not one of our IP's. I made everyone change their passwords, disabled old user accounts, checked for rogue accounts. They have stopped again for now. The wireshark capture shows an authenticating login, so someone's weak passwords must have been cracked.


----------

