[URGENT] Client's email hosting about to be cut off!!!

[seedubya]

My client, an accountancy practice, has been getting emails for months from their webhost saying that their email usage is very, very high i.e. 10's of GB per month. They neglected to tell me this until Friday last when the webhost called them an threatened to cut them off this Friday if the issue is not resolved.

Their server is SBS 2008 running Exchange 2007. Exchange is using the inbuilt POP3 connector to connect to 7 of their 9 POP3 accounts and is using a third party POP3 connector to connect to the last 2 ( they need email on their phones). They use a Smarthost to their webhost for outgoing email. It was set up like this by the last tech and they won't pay me to do it properly.

What's happening is, every 3 min 25 sec, an IMAP connection is made to their outgoing mail server using the email credentials of one of the partners and 5MB of traffic is being transmitted each time. Obviously this adds up to a lot of IMAP traffic over time. The traffic is definitely coming from their WAN IP address. It's happening 24/7/365.

The website etc. is still being hosted by the old tech support company and they are useless. After many requests I got a snippet of a log which I have attached. (IP addresses etc. changed.) They will not be any further help. The client will happily move to my hosting but would like to resolve this first.

I have changed the email passwords for all users but that did not stop the problem.

I am 99% sure it's coming directly from the server as it happens when the building is completely deserted and all PCs are switched off. At first I suspected a mailbot BUT I can't immediately see anything untoward running on the server. Eset cannot find anything (although it threw 65,314 false positives on their accounting software!!!).

I have not run anything else yet as I'm not sure what tools would be safe to run in this scenario.

All assistance gratefully accepted.

 

[SAG]

Did I read correctly that you changed the password for the account in question and it still successfully logged in?
That, in and of itself, needs investigating.

 

[BadBoy House]

Interesting. Problems like this are amongst my favourites to troubleshoot.

Do you know why the last tech didn’t set it up properly? Most the time I put it down to poor techs not being comfortable in setting up SMTP/MX email configurations and they stick to the POP3 Connector was as it’s “easy” when in reality the proper way isn’t really that much harder.

If they’ve got email traffic going out of their router WAN interface every 3 minutes or so then it could be a mass mailer perhaps somewhere - unless there’s another program on the server configured to send out emails. If you’ve 100% checked that this traffic is going out of the WAN interface when every workstation is switched off then it must be originating from the server.

Normally though a mass mailer will use its own mail server rather than the credentials of an existing user. Are you sure it’s definitely using these credentials?

My action plan would go like this:

- Check the Firewall logs if these are available. If I’m ever faced with a mass mailer or rogue outgoing traffic I always check the firewall logs first. Most of the time the firewall logs will reveal the computer that the traffic is originating from and you can go from there.

- Double check to make sure that nothing is configured on the server to send out emails – it could something legitimate that the previous IT company set up.

- Run a malware bytes scan on the server. Some people don’t agree with running MWB on a server but as long as you review the results at the end before clicking Fix it should be fine.

- If the traffic is definitely coming from the WAN IP then you can probably rule out an the account credentials being used off-site. It’s interesting that you’ve changed the credentials being used and the problem is still occurring.

If I think of anything else I will post back.

 

[seedubya]

Did I read correctly that you changed the password for the account in question and it still successfully logged in?
That, in and of itself, needs investigating.

Yes you read correctly! It's very strange alright. Any time before that I've come across something like this it's been a hacked email account and simply changing the password to something secure has solved the problem. We have checked all the machines (except the server) on the network for everything but absolutely nothing showed up except a very minor inactive trojan on the reception PC.

 

[SAG]

Yes you read correctly! It's very strange alright. Any time before that I've come across something like this it's been a hacked email account and simply changing the password to something secure has solved the problem. We have checked all the machines (except the server) on the network for everything but absolutely nothing showed up except a very minor inactive trojan on the reception PC.

Odd that the hosting company won't work with you... bad blood I suppose?
Else wireshark and a tech on the phone from the hosting company for 4 minutes watching their logs could really help here.

Couple of first-step things here, asuming you are 100% sure it is coming from the server.
As mentioned, wireshark for 5 minutes should show something if you are familiar with it.
Or, firewall outgoing IMAP from the server (windows firewall) and then see what was logged after 5 minutes - you might get lucky.

Those are the two things off the top of my head I can think of.
But my mind is wrapped around the damned ESX server right now that I'm working on.

 

[YeOldeStonecat]

I typed up an answer early this morning..hit save..dunno why it isn't here...as I had to rush out the door at 0630 for a 7 meeting.

So you've proven that the source of the email is the WAN IP of this network?
First question..since they're using the POP3 connector, log into the firewall and make sure SMTP and IMAP ports are not open/forwarded to the Exchange server. POP3 connector does not need them. It fetches..and it sends out....it does not need to be contacted. Also ensure port 80 is not open/forwarded...you only need port 443 for smart phones 'n OWA.

I hate hate hate Exchange 2007..they really neutered a few things that Exchange 2003 had, like the useful message tracking center. But you can drill into that neutered one and also look at the queues and between that and cranking up the logging of Exchange should be able to see which account is spewing out that spam. If you think you found the account....aside from checking their computer more thoroughly, I'd also suspect the smart phone as being jacked and perform a wipe of the smart phone.

 

[BadBoy House]

Any update on this?

 

[ComputerRepairTech]

I found this article: http://ddkonline.blogspot.com/2013/06/outlook-2013-bug-when-using-imap-beware.html