Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2322 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help we've been hacked!

Buggrit
[:O] We have an exchange sever behind an ASG-120.  The  ASG reported a sudden increase in SMTP mail traffic. The customer also reports slow network response as well. I suspect we have an SMTP-Auth hack and I need to stop it as soon as possible this morning. 

Most of our users are internal and do not require access to the mail server from outside the etwork to send their mail (except those that connect using VPN access). 

What can I do at the firewall to stop this relaying and if anyone can point me in the direction of any good step-by-step guides to locking down relaying on the exchange server, that would be a real bonus.

Many Thanks,

JB


This thread was automatically locked due to age.
Parents
  • 0
    there was a pretty nastly old-school e-mail/web payload virus going around last week - whats happening at the desktop level?
  • 0 in reply to Kingbuzzo
    What Bob said, +

    It sounds like you had an open relay ... there's no way any security device could differentiate between "good" relay traffic and "bad" relay traffic.  This sounds like a case of misconfiguration.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to Kingbuzzo
    What Bob said, +

    It sounds like you had an open relay ... there's no way any security device could differentiate between "good" relay traffic and "bad" relay traffic.  This sounds like a case of misconfiguration.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
  • 0 in reply to BrucekConvergent
    Agreed. I think it was a mis-configuration. I've amended that now, but I was interested to find out if there was anything the ASG could do to monitor the traffic volume delta for a given specific port or port-range (e.g. port 25) and so highlight unusual traffic volume patterns in properly authenticated 'super-normal' traffic.

    JB
Cookie Information Banner