Emails filling up GFI whitelist - Exchange 2000

I'm running Exchange 2000 as part of SBS 2000 plus GFI MailEssentials to filter spam.  A couple of weeks ago I noticed the GFI whitelist was filling up with nearly 2000 new addresses added daily.  I tracked a couple of address that had been added in System Manager and the from address on these email was *@yahoo.com.  I turned on SMTP logging and see a ton of emails that appear to be coming from inside with a yahoo.com from address.  I've ran virus checks on all of our computers and all are clean.  Any suggestions on how to track where these emails are coming from?
JKevinWardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SembeeCommented:
Message Tracking is the obvious answer to find out what is happening with the messages.
http://www.amset.info/exchange/message-tracking.asp

I would be surprised if it was a compromised machine - normally they use their own SMTP engine - they don't like to use another server as that signifies their presence.

Simon.
0
JKevinWardAuthor Commented:
I had Message Tracking enabled.  I looked at a couple of the emails from yahoo.com addresses and here are the tracking messages for both:

SMTP:  Started Outbound Transfer of Message
Message transferred to smtp through SMTP

I also found a yahoo.com email to suwhitneyg@email.com.cn that had these messages:

SMTP:  Started Outbound Transfer of Message
Message transferred to mx.email.com.cn through SMTP

Are these coming from inside our system?
0
SembeeCommented:
Was that all there was in the Message Tracking log?

This is starting to look like your server is relaying email.

You haven't enabled relaying for Yahoo.com email addresses in error by any chance?
Chinese email addresses always look suspicious. If you have no dealings with China then there has to be some concern.

Is authenticated relaying enabled on the Exchange server? It is by default. If you have no users on Outlook Express or other SMTP clients then you can disable the feature.
If you do have external SMTP clients, then you should restrict who can relay through your server: http://www.amset.info/exchange/smtp-relaysecure.asp

I would also suggest that you change your administrator password.

Simon.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

JKevinWardAuthor Commented:
We have three Mac's that access their email on our server using Outlook Express.  I also have Outlook Web Access enabled which can be accessed after a VPN connection is made.  I checked the relay settings on the default SMTP virtual server and there are two ip addresses that have been granted relay.  One is the ip address of our server and the other is the ip address for a frame relay that we no longer use (wonder if I can remove this without any problems; we've since moved to a DSL).  The allow all computers which ... is checked.

While I was looking at these I noticed dozens of SmallBusiness SMTP connector entries under the Queues section.  They have a domain name and then (SMTP Connector - Remote Delivery).  When I enumerate messages under one of these entries I see all of these emails from yahoo.com addresses.  What exactly are these entries?
0
SembeeCommented:
I would start by removing both IP addresses from the relay settings. The server itself does not have to be in the relay settings. Are you using a router of some kind, or is the "router" the server?If so, the IP address of the server being in the relay settings might be the cause.

The SMTP connectors are classic signs of your server being used as a relay. Whichever spammer is targeting yahoo.com at the moment.

Go through the SMTP connector configuration very carefully. Make sure that you haven't got "allow relaying to these domains" enabled and the * in the address space.

You might also want to look at my spam cleanup page: http://www.amset.info/exchange/spam-cleanup.asp

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JKevinWardAuthor Commented:
I am using a separate router.  Can I still delete the internal ip address of our server Exchange rests on without messing up our email?  Or do I need to leave it since we have three Macs using POP3 to access their emails?
0
SembeeCommented:
It will have no effect on the users collecting their emails. It is for relaying only. Anyone who needs to relay through your server should be doing so as authenticated users.

Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.