Win2k3 exchange server sending SPAM via POSTMASTER account

Posted on 2006-05-25
Medium Priority
Last Modified: 2009-10-26

I have a windows 2003 exchange server running. I was informaed that email was being rejected form our domain and checked our domain name on DNSSTUFF.com. My domain was blacklisted on three different servers and I thought it was from a virus our old exchnage server was compromised with early 2005. I requested my IP be removed from all blacklists, and just as a precaution created an outbound ACL on my PIX515e to disallow all SMTP traffic except the exchange server I have in place. All mail flow stopped completely once the ACL was put in place. I checked my mail queue and discovered at least 5 folders containing mail from my 'postmaster' account waiting to be sent to domains that have nothing to do with our business. I deleted all waiting mail but then refreshed the queue and one more message appeared in the same folder again. I ran into a similar problem recently where one of your experts assisted me with a server which had been a victim of an NDR attack. This does not seem to be the same scenario although similar. My question is this, how may I go about finding the script/bot/or whatever program is generating these emails to be sent out to the world? Furthermore, can anyone assist me in my PIX config so that I may have an outbound ACL to allow only SMTP traffic from this server alone?
Question by:danw76
LVL 30

Expert Comment

by:Irwin Santos
ID: 16764776
make sure your RELAY is configured for proper authentication.

also in your DNS, you need to have REVERSE ZONE configured
LVL 35

Accepted Solution

Bembi earned 1000 total points
ID: 16765478
Your PIX question, you should post in the security or firewall topic, are post a 20 point question with a link there.

What you should do on your exchange server is, to enable your SMTP log and keep it in your eye, if there is something unusual. Also you should make sure, that your clients are virus free and not a source of SPAM.

The outgoing postmaster messages maybe normal or not, take a closer look on them especially on the mail header. If external senders of spam are sending a lot of mails to your server to addresses, which do not exist, your exchange is generating NDRs to the sender address. As these senders are usually not existing, they hang in the queue until they timed out. As long as these are only a few mails, I would say, it is normal and there is not really a way to work around this, as the sender adsresses as well as the recipients are fantasy names.

Waht you should take care of is the question, if you allow such NDRs to the public in general. Is is a common game to send mails to a bulk of fantasy names to find out, which addresses are delivered and which will bounce back. You can easily make a difference between usual misspelled addresses and addresses, which  are generated by any address generation program. Also an idea is to think about the system, how to generate company email addresses to have a better filter option.
LVL 12

Expert Comment

ID: 16765848
Please follow this KB Article ->
Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003.

Amit Aggarwal.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to effectively resolve the number one email related issue received by helpdesks.
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
This video discusses moving either the default database or any database to a new volume.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question