We help IT Professionals succeed at work.

Help we are sending spam from somewhere inside our domain!

RAMCIT
RAMCIT asked
on
Medium Priority
189 Views
Last Modified: 2013-12-04
Hello Experts!
Earlier today, I found out we had been listed by SPAMCOP (http://spamcop.net/bl.shtml) as an originator of spam email, and also with PSBL (http://psbl.surriel.com). Can anyone please point me in the right direction as far as finding out a way to see if any of the PCs inside our domain are infected with some kind of spamware?

Thanks a lot!
Comment
Watch Question

Assuming you are running in a 2000/2003 environment, see this link:

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

You can find many other solutions easily by Googling for how to close an Open Mail Relay in your Domain Operating System Environment

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Actually Im runing Exchange 5.5 on an NT enviromnent.

Author

Commented:
ll, according to http://www.dnsreport.com/ we reject releys.
If you open the queues in your Exchange System Manager, do you see a lot of mails waiting to be sent?

Author

Commented:
more than usual yes
Ok, I know DNS Report shows you reject relays, but try following the instructions in the link above and see if they go away. ;)

Author

Commented:
Well I cannot seem to get into the server via telnet, says:

Server allows NTLM authentication only
Simon EarlSenior Consultant
CERTIFIED EXPERT

Commented:
OK....

What AV and AntiSpyware do you use ?

Also, if you are using cisco routers let me know as I've got some neat tricks for these.

Cheers
Si


Author

Commented:
Well on this server we have Trend Micro Scanmail for the exchange
No active antispyware.

Author

Commented:
oh and this T1 connection uses a Cisco 2600 router with a watchguard firebox firewall.
Simon EarlSenior Consultant
CERTIFIED EXPERT

Commented:
Does your Cisco router have Netflow enabled ?

Thanks
Si

Author

Commented:
I have no idea
Simon EarlSenior Consultant
CERTIFIED EXPERT

Commented:
OK,

OK, from a quick google, the 2600 routers do have Netflow on them.

Try this

Go here ---> http://www.manageengine.co.uk/

Download NetFlow Analyzer and install it....configure the router as per the instructions in the documentation to enable netflow packets and then leave it to run for an hour.

Go back in to NetFlow Analyzer and you will see a list of traffic broken down by type and then you see which machines are sending large amounts of SMTP traffic.

Let me know if you get stuck

Thanks
Si
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.