Solved

SBS sending spam

Posted on 2006-11-11
8
736 Views
Last Modified: 2006-11-21
My SBS 2003 using exchange is generating spam mail and sending it out.  This is a small home office and I have no other machine connected.  I watch the mail que and it keeps adding messages generated by "postmaster.mydomain.com.
I look at the messages and they are all destined for strange domains.  obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening.  My problem is that my isp has shut me off till I fix.  I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.

HELP!

Dick
0
Comment
Question by:rjgnh1942
8 Comments
 
LVL 4

Expert Comment

by:v_karthik
ID: 17922858
Try some standard spyware busters like Spybot S&D, Adaware, Norton AV etc. If that doesnt work, you may want to check the processes running on your machine using Process Explorer ( http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx )

Using this, you can see if there is any stray process and also check the network connections they make. If you suspect something, kill the process and see if the mails still queue up.
0
 
LVL 9

Accepted Solution

by:
sda100 earned 250 total points
ID: 17923695
Hi rjgnh1942,

How are/were you connected to the Internet?  It sounds like your SBS server may be configured as an open mail relay.  If you can get any connection at all, try one of these sites to perform an open-relay test on you.

http://www.abuse.net/relay.html
http://www.ordb.org/submit/
http://spamlinks.net/prevent-secure-relay-test.htm

I would install a firewall on your server and block all outgoing on port 25, then ask your ISP to reinstate you so you can trouble-shoot the issue.

I hope this helps,
Steve :)
0
 
LVL 4

Assisted Solution

by:dempsedm
dempsedm earned 250 total points
ID: 17935171
In Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager)
Drill down to First Organization Group, Servers, <Your Server Name>, Protocols, SMTP, Default SMTP Virtual Server

Right-Click on Default SMTP Virtual Server, go to Properties

Choose "Access" tab

Click on "Relay"

You can secure your server by selecting the "only the list below" radio button and entering your local network IP range
If you use your SMTP server outside your network, you may select the checkbox that says "Allow all computers...sucessfully authenticate...".  

Note, once you secure your sever, you will need to set up your SMTP server setting in your mail client to use SMTP authentication.

Hope that helps! I'm new on here!


0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:rjgnh1942
ID: 17935278
Yup,

Didn't take you guys long.

It was being used as a relay agent because I left it wide open.  DUMMMMMBBBBBBBBB!

Steve got it right away.  
Same with Dempsedm.

Thanks guys.

Closed the relay.  Changed the port to 587 and changed ISP's.  This is a small home office and I have my server behind Comcast.  Of course they don't want that so I use DYNDNS and cannot rave about them enough.  They are amazing and their site keeps getting better with more and more tools.  They had tools to tests this and all.  Quite amazing.

Do have Grisoft Server AV on system.  Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops.  DAH!  Scan after scan, online scans, hours of scans, nothing.  That should have been the first hint that it wasn't an infection but DAH!  Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere.  Took me too long to get to that point.

Thanks again so much to all of you!

rjgnh1942
0
 
LVL 4

Expert Comment

by:dempsedm
ID: 17940673
No problem!  I had the same thing happen my first sys admin job out of college.  It was when hijacking relays was kind of a new thing.  It ended up totally bringing down our whole mail server which screwed up all kinds of other things on the LAN since the server was doing other functions.

Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!  
0
 
LVL 9

Expert Comment

by:sda100
ID: 17965472
Quote the author:

> Steve got it right away.  
> Same with Dempsedm.

So that's where I think the points should go.

Steve :)
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to add a m3u Playlist to IPTV on PLEX 7 6,620
Web Browsers Start Page Hijacker 14 148
Need to Edit a PDF 9 157
Free HD cloner 11 63
Let’s list some of the technologies that enable smooth teleworking. 
All of the resources available today make learning a new digital media easier than ever-- if you know where to begin. This is a clear, simple guide to a few of the basic digital art mediums and how to begin learning them on your own.
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question