RE: Quick Event Question
Here is what we have in our ASA. Vh-fs4 is our spam gateway. access-list Inside_access_in remark Allow SPAM gateway to send email out. access-list Inside_access_in extended permit tcp host VH-FS4 any eq smtp access-list Inside_access_in remark Block all but SPAM gateway from sending email out. access-list Inside_access_in extended deny tcp any any eq smtp log access-list Inside_access_in extended permit ip any any This applies the above access list to the inside interface. access-group Inside_access_in in interface Inside -Original Message- From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 6:37 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question We have a cisco asa... Do you know the command? I just don't want to screw up the firewall. Thanks for your help... -Original Message- From: "Kurt Buff" To: "MS-Exchange Admin Issues" Sent: 7/29/09 5:54 PM Subject: Re: Quick Event Question Consider? Uh, make that *demand* - egress filtering is one of your strongest security allies. Default deny, baby. Kurt On Wed, Jul 29, 2009 at 14:02, Stephan Barr wrote: > Consider having your firewall allow SMTP outbound from your Exchange server > only. > > On Wed, Jul 29, 2009 at 10:56 AM, Chyka, Robert wrote: >> >> We are running Exchange 2003 on Windows Server 2003. We are fully patched >> etc. We are starting to get a slow growing amount of outbound SPAM trying >> to be sent out of our Exchange server and we are looking to stop it before >> it gets ugly. >> >> >> >> We are a verified closed relay host, but I am noticing a weird event for a >> specific user in the event log. >> >> >> >> It is EventId 1708 and the Source is MSExchange Transport >> >> >> >> The text is: >> >> >> >> SMTP Authentication was performed successfully with client "[127.0.0.1]". >> The authentication method was "NTLM" and the username was "xx >> >> >> >> >> >> >> >> I didt know if the 127.0.0.1 was an issue? Never saw it before. >> >> >> >> Thanks!!! >
Re: Quick Event Question
I haven't ever done Cisco firewalling, no. But, it's a matter of allowing port 25 outbound for the Exchange server only. Shouldn't be too hard. On Wed, Jul 29, 2009 at 15:36, Chyka, Robert wrote: > We have a cisco asa... Do you know the command? I just don't want to screw > up the firewall. Thanks for your help... > > -Original Message- > From: "Kurt Buff" > To: "MS-Exchange Admin Issues" > Sent: 7/29/09 5:54 PM > Subject: Re: Quick Event Question > > Consider? > > Uh, make that *demand* - egress filtering is one of your strongest > security allies. > > Default deny, baby. > > Kurt > > On Wed, Jul 29, 2009 at 14:02, Stephan Barr > wrote: >> Consider having your firewall allow SMTP outbound from your Exchange server >> only. >> >> On Wed, Jul 29, 2009 at 10:56 AM, Chyka, Robert wrote: >>> >>> We are running Exchange 2003 on Windows Server 2003. We are fully patched >>> etc. We are starting to get a slow growing amount of outbound SPAM trying >>> to be sent out of our Exchange server and we are looking to stop it before >>> it gets ugly. >>> >>> >>> >>> We are a verified closed relay host, but I am noticing a weird event for a >>> specific user in the event log. >>> >>> >>> >>> It is EventId 1708 and the Source is MSExchange Transport >>> >>> >>> >>> The text is: >>> >>> >>> >>> SMTP Authentication was performed successfully with client "[127.0.0.1]". >>> The authentication method was "NTLM" and the username was "xxx” >>> >>> >>> >>> >>> >>> >>> >>> I didn’t know if the 127.0.0.1 was an issue? Never saw it before. >>> >>> >>> >>> Thanks!!! >> > > > > >
RE: Quick Event Question
It may already be set. If it isn't setting it won't stop what you're seeing now, since they're trying to use your Exchange server as a relay. You can test it by trying to do a manual smtp connect (telnet to port 25) to a mail server outside of your network from your workstation. -Original Message- From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 5:37 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question We have a cisco asa... Do you know the command? I just don't want to screw up the firewall. Thanks for your help... -Original Message- From: "Kurt Buff" To: "MS-Exchange Admin Issues" Sent: 7/29/09 5:54 PM Subject: Re: Quick Event Question Consider? Uh, make that *demand* - egress filtering is one of your strongest security allies. Default deny, baby. Kurt On Wed, Jul 29, 2009 at 14:02, Stephan Barr wrote: > Consider having your firewall allow SMTP outbound from your Exchange server > only. > > On Wed, Jul 29, 2009 at 10:56 AM, Chyka, Robert wrote: >> >> We are running Exchange 2003 on Windows Server 2003. We are fully patched >> etc. We are starting to get a slow growing amount of outbound SPAM trying >> to be sent out of our Exchange server and we are looking to stop it before >> it gets ugly. >> >> >> >> We are a verified closed relay host, but I am noticing a weird event for a >> specific user in the event log. >> >> >> >> It is EventId 1708 and the Source is MSExchange Transport >> >> >> >> The text is: >> >> >> >> SMTP Authentication was performed successfully with client "[127.0.0.1]". >> The authentication method was "NTLM" and the username was "xxx" >> >> >> >> >> >> >> >> I didn't know if the 127.0.0.1 was an issue? Never saw it before. >> >> >> >> Thanks!!! > ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: Quick Event Question
We have a cisco asa... Do you know the command? I just don't want to screw up the firewall. Thanks for your help... -Original Message- From: "Kurt Buff" To: "MS-Exchange Admin Issues" Sent: 7/29/09 5:54 PM Subject: Re: Quick Event Question Consider? Uh, make that *demand* - egress filtering is one of your strongest security allies. Default deny, baby. Kurt On Wed, Jul 29, 2009 at 14:02, Stephan Barr wrote: > Consider having your firewall allow SMTP outbound from your Exchange server > only. > > On Wed, Jul 29, 2009 at 10:56 AM, Chyka, Robert wrote: >> >> We are running Exchange 2003 on Windows Server 2003. We are fully patched >> etc. We are starting to get a slow growing amount of outbound SPAM trying >> to be sent out of our Exchange server and we are looking to stop it before >> it gets ugly. >> >> >> >> We are a verified closed relay host, but I am noticing a weird event for a >> specific user in the event log. >> >> >> >> It is EventId 1708 and the Source is MSExchange Transport >> >> >> >> The text is: >> >> >> >> SMTP Authentication was performed successfully with client "[127.0.0.1]". >> The authentication method was "NTLM" and the username was "xxx” >> >> >> >> >> >> >> >> I didn’t know if the 127.0.0.1 was an issue? Never saw it before. >> >> >> >> Thanks!!! >
Re: Quick Event Question
Consider? Uh, make that *demand* - egress filtering is one of your strongest security allies. Default deny, baby. Kurt On Wed, Jul 29, 2009 at 14:02, Stephan Barr wrote: > Consider having your firewall allow SMTP outbound from your Exchange server > only. > > On Wed, Jul 29, 2009 at 10:56 AM, Chyka, Robert wrote: >> >> We are running Exchange 2003 on Windows Server 2003. We are fully patched >> etc. We are starting to get a slow growing amount of outbound SPAM trying >> to be sent out of our Exchange server and we are looking to stop it before >> it gets ugly. >> >> >> >> We are a verified closed relay host, but I am noticing a weird event for a >> specific user in the event log. >> >> >> >> It is EventId 1708 and the Source is MSExchange Transport >> >> >> >> The text is: >> >> >> >> SMTP Authentication was performed successfully with client "[127.0.0.1]". >> The authentication method was "NTLM" and the username was "xxx” >> >> >> >> >> >> >> >> I didn’t know if the 127.0.0.1 was an issue? Never saw it before. >> >> >> >> Thanks!!! >
Re: Quick Event Question
Consider having your firewall allow SMTP outbound from your Exchange server only. On Wed, Jul 29, 2009 at 10:56 AM, Chyka, Robert wrote: > We are running Exchange 2003 on Windows Server 2003. We are fully > patched etc. We are starting to get a slow growing amount of outbound SPAM > trying to be sent out of our Exchange server and we are looking to stop it > before it gets ugly. > > > > We are a verified closed relay host, but I am noticing a weird event for a > specific user in the event log. > > > > It is EventId 1708 and the Source is MSExchange Transport > > > > The text is: > > > > SMTP Authentication was performed successfully with client "[127.0.0.1]". > The authentication method was "NTLM" and the username was "xxx” > > > > > > > > I didn’t know if the 127.0.0.1 was an issue? Never saw it before. > > > > Thanks!!! >
RE: Quick Event Question
Nope. You'll probably have to correlate the 1708 events with the smtp events by timestamp. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:33 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Ok I under ExchangeTransport, I enabled SMTP logging and set it to maximum. Will the affected host show up with a 1708 EventId like the username showed up in? Thanks again... From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Wednesday, July 29, 2009 1:26 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question +1. My bet is that you have an internal machine that's been infected/pwned and its spewing spam as fast as it can via an authentication to your internal Exchange server. Shook From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, July 29, 2009 1:23 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question I'd turn on protocol logging. I'm betting it's coming from another machine, and it's messing with you by reporting it's hostname as being [127.0.0.1]. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:16 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question It is very strange that it is only for one particular user. They are the only one authenticating in the event log. From: Leedy, Andy [mailto:ale...@butlerahs.com] Sent: Wednesday, July 29, 2009 12:24 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: Quick Event Question
Ok I under ExchangeTransport, I enabled SMTP logging and set it to maximum. Will the affected host show up with a 1708 EventId like the username showed up in? Thanks again... From: Andy Shook [mailto:andy.sh...@peak10.com] Sent: Wednesday, July 29, 2009 1:26 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question +1. My bet is that you have an internal machine that's been infected/pwned and its spewing spam as fast as it can via an authentication to your internal Exchange server. Shook From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, July 29, 2009 1:23 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question I'd turn on protocol logging. I'm betting it's coming from another machine, and it's messing with you by reporting it's hostname as being [127.0.0.1]. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:16 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question It is very strange that it is only for one particular user. They are the only one authenticating in the event log. From: Leedy, Andy [mailto:ale...@butlerahs.com] Sent: Wednesday, July 29, 2009 12:24 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: Quick Event Question
+1. My bet is that you have an internal machine that's been infected/pwned and its spewing spam as fast as it can via an authentication to your internal Exchange server. Shook From: Campbell, Rob [mailto:rob_campb...@centraltechnology.net] Sent: Wednesday, July 29, 2009 1:23 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question I'd turn on protocol logging. I'm betting it's coming from another machine, and it's messing with you by reporting it's hostname as being [127.0.0.1]. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:16 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question It is very strange that it is only for one particular user. They are the only one authenticating in the event log. From: Leedy, Andy [mailto:ale...@butlerahs.com] Sent: Wednesday, July 29, 2009 12:24 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: Quick Event Question
I'd turn on protocol logging. I'm betting it's coming from another machine, and it's messing with you by reporting it's hostname as being [127.0.0.1]. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 12:16 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question It is very strange that it is only for one particular user. They are the only one authenticating in the event log. From: Leedy, Andy [mailto:ale...@butlerahs.com] Sent: Wednesday, July 29, 2009 12:24 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply ** ** Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. **
RE: Quick Event Question
It is very strange that it is only for one particular user. They are the only one authenticating in the event log. From: Leedy, Andy [mailto:ale...@butlerahs.com] Sent: Wednesday, July 29, 2009 12:24 PM To: MS-Exchange Admin Issues Subject: RE: Quick Event Question Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply **
RE: Quick Event Question
Sounds like some process on your Exchange server is sending mail as 127.0.0.1 is localhost. That is, that machine. I would check the task manager to what processes are running. From: Chyka, Robert [mailto:bch...@medaille.edu] Sent: Wednesday, July 29, 2009 11:57 AM To: MS-Exchange Admin Issues Subject: Quick Event Question We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!! ** CONFIDENTIALITY NOTICE: The information transmitted in this message is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy all copies of this document. Thank you. Butler Animal Health Supply **
Quick Event Question
We are running Exchange 2003 on Windows Server 2003. We are fully patched etc. We are starting to get a slow growing amount of outbound SPAM trying to be sent out of our Exchange server and we are looking to stop it before it gets ugly. We are a verified closed relay host, but I am noticing a weird event for a specific user in the event log. It is EventId 1708 and the Source is MSExchange Transport The text is: SMTP Authentication was performed successfully with client "[127.0.0.1]". The authentication method was "NTLM" and the username was "xxx" I didn't know if the 127.0.0.1 was an issue? Never saw it before. Thanks!!!
