Advertisement

04.10.2008 at 01:11PM PDT, ID: 23313194
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.0

SPAM nightmare

Asked by patrickisgreat in Anti-Spam Email Software, Email Software, Anti-Virus Applications

Tags: , ,

Hi Folks --

Here's a very strange SPAM scenario.

My Exchange server version 6.5 sp 2 has been plagued with spam for days now. The behavior is very random I am positive our server is NOT an open relay as I have checked it @ dnsgoodies.com and several other sites like it. I am trying to figure out just where this spam is coming from. It seems to still be hitting the queues and our Symantec Brightmail Anti Spam Filter even though I have blocked port 25 on the sonicwall for all machines other than the server. When our Symantec Spam Filter gets clogged it causes delays in emails getting to phones etc. which is a big problem.

I can disable Authenticated relay alltogether; and still sit there and watch messages coming into the Message tracking center at an alarming rate. Almost all of them are from completely strange email addresses with your typical spam subjects i.e. penis enlargement etc.. etc.. but some say the sender is fake email addresses at our domain.com, i.e... spamidiot@fruits-us.com -- of course spamidiot is not a user in our directory. I'm beginning to think the exploitation is on the server. There was no anti-virus installed on this server when I came to it. I am convincing the client to buy anti virus for the machine. In the meantime I installed ClamWin and ran a scan which reported no viruses. I also ran hijack this which did find something funky. 2 instances of svchost running from Program Files\Internet Explorer,

as follows:

O23 - Service: Window Domain Services (windowndns) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe

C:\Program Files\Internet Explorer\svchost.exe

When I try to check the "023" for removal in Hijackthis it says it has removed it, and it always comes right back.


Is a virus on the server generating these messages? How can I tell just where they are coming from?

The logs dont really seem to say -- I can provide them if necessary.


2 other things I have done 1.) enable recipient filtering on non-existent addresses, and set SMTP logging to maximum -- When I go to view the Event logs for MSExchangeTransport all i get are the errors generated from mail that is being sent to non existent addresses.

Here's one of them:

This is an SMTP protocol warning log for virtual server ID 1, connection #70107. The remote host "212.135.6.254", responded to the SMTP command "rcpt" with "451 Sender domain bank.co.uk not verified in DNS  ". The full command sent was "RCPT TO:<nay@zoom.co.uk>  ".  This may cause the connection to fail.


So to summarize:
a)we've got the Symantec Brightmail filter catching 98% spam and slowing down operations.
b)I can watch literally thousands of spam messages fill up in the message tracking center in an hour some of them from "our domain," spoofed addresses.
c)we are not an open relay
d)smtp is currently blocked at the firewall for every ip except the servers and its still going down.

I'm still pretty much an ADMIN in training as far as exchange goes so any GURUS out there PLEASE HELP!! I'm getting so tired.....

Thanks so much!!
Start Free Trial
[+][-]04.11.2008 at 05:03AM PDT, ID: 21333318

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Anti-Spam Email Software, Email Software, Anti-Virus Applications
Tags: Microsoft, Exchange Server, version 6.5 Build 7638.2: Service Pack 2
Sign Up Now!
Solution Provided By: rpggamergirl
Participating Experts: 1
Solution Grade: A
 
 
[+][-]08.20.2008 at 07:21AM PDT, ID: 22269788

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
[+][-]08.26.2008 at 02:35PM PDT, ID: 22319842

Experts Exchange has a courteous staff of administrators who help members get the most out of the website by means of administrative comments like this one.

Start your 7-day free trial to view this Administrative Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628