Weird Exchange Problem

[RadiclDreamer]

We are getting added to blacklists due to our domain sending spam, I have done the normal virus scans etc and cant find any infections. What I am finding is the compromised accounts are being accessed from all around the world.

My question is what could cause this? Any advice as to what to do to stop it?

 

[gsaldivar]

Disable open relays, make sure your server is updated and patched, make sure all users' computers are also updated and patched...

 

[RadiclDreamer]

Forgot to mention, looks like they are doing this via webmail. Im not able to find anything that mentions this.

Open relay is disabled, no control over all users machines they use to access, but it was sudden and multiple users.

 

[gsaldivar]

Also, force all users to change their passwords immediately.

 

[seepy83]

If the attack is coming through OWA, I would turn OWA off, or block it at the firewall, or (at a minimum) disable OWA for the accounts that are compromised. Then reset the passwords for all of the accounts and monitor your logs very closely once you restore OWA access.

 

[RadiclDreamer]

We've been disabling OWA access for affected users which stops the issue stemming from their accounts, but I'm trying to determine where this may have come from

 

[Nothinman]

We've been disabling OWA access for affected users which stops the issue stemming from their accounts, but I'm trying to determine where this may have come from

Crap passwords? Users with keyloggers on their home PCs? It's really hard to say if you have OWA open to the world.

 

[Red Squirrel]

I'm willing to bet it's OWA, if it really is open to the outside. I would close it, and make users required to VPN in to access it. It's best to have a single door in with high security (max retry rate, encryption, etc) then open individual ones for each service.

 

[Nothinman]

I'm willing to bet it's OWA, if it really is open to the outside. I would close it, and make users required to VPN in to access it. It's best to have a single door in with high security (max retry rate, encryption, etc) then open individual ones for each service.

I've never heard of OWA being used as the attack vector and the account passwords are stored in AD so it's not like they're easily captured. IIS has had issues in the past, but as long as you're patched you should be ok.