Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

MDSha
New Contributor

Created on ‎08-16-2017 02:22 AM

Spammers using our server to send spam

Dears,

We have Fortinet firewall and exchange 2010 environment with exchange oniline protection setup.

spammers connect to our exchange via telnet send spams,i can see lot of emails sent in protocol logging.

Users receive 1000s of non delivery reports.

Once i reset the password of the affected user ndr stops in some time, so it means users having weak passwords becoming target and still i can see in event viewer and protocol logging with authentication failure for password resetted users,

 How to stop attackers connecting to exchange server via telnet smtp.  In firewall HTTP, HTTPS, SMTP, SMTPS and IMAP is open for exchange servers, is it ok or i need to remove anything.

please look below telnet session log from smtp logging 

EHLO ylmf-pc,
>,250-mail.********* Hello [********],
>,250-SIZE,
>,250-PIPELINING,
>,250-DSN,
>,250-ENHANCEDSTATUSCODES,
>,250-STARTTLS,
>,250-AUTH NTLM,
>,250-8BITMIME,
>,250-BINARYMIME,
>,250 CHUNKING,
<,AUTH LOGIN,
*,Tarpit for '0.00:00:05',
>,504 5.7.4 Unrecognized authentication type,
,,

 

How to stop this attacks.. pls help

 

 

 

 

Labels:
208
0 Kudos
2 REPLIES 2
Marco
New Contributor III

Created on ‎02-26-2018 09:01 AM

Hello

check your smtp policy (wan-to-lan). I think you have enabled NAT on this policy and allow the internal ip of the fortinet (or internal subnet?) to relay through your Exchange server? NAT isn't needed with 'Virtual IPs' in this case.

it's also a good idea to limit the smtp source in the policy. Only allow the exchange online protection servers to connect with smtp to your exchange. Look at: https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx. Maybe you can use the 'Internet Service Database' from the FortiGate. Try the "Microsoft-SMTP(S)" entry.

202
0 Kudos
MichaelBazy
New Contributor III
In response to Marco

Created on ‎02-28-2018 11:12 AM

Well my recommendation would be for you to get a FortiMail, and to use it to send and receive SMTP traffic rather that an unsecure "do-everything" windows. Essentially "do everything" includes too many things in terms of security.

If you don't have that luxury, maybe you need to consider who and from where exactly needs access to this exchange server.

When you have this information, then maybe you can consider create some specific IPS signatures to block messages spoofing your domain for users from outside the network.

Something else to consider : maybe you have an infected host that asks specifically your server to send some emails?

Good luck anyway.

202
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.