Solved

SBS sending spam

Posted on 2006-11-11
8
733 Views
Last Modified: 2006-11-21
My SBS 2003 using exchange is generating spam mail and sending it out.  This is a small home office and I have no other machine connected.  I watch the mail que and it keeps adding messages generated by "postmaster.mydomain.com.
I look at the messages and they are all destined for strange domains.  obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening.  My problem is that my isp has shut me off till I fix.  I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.

HELP!

Dick
0
Comment
Question by:rjgnh1942
8 Comments
 
LVL 4

Expert Comment

by:v_karthik
ID: 17922858
Try some standard spyware busters like Spybot S&D, Adaware, Norton AV etc. If that doesnt work, you may want to check the processes running on your machine using Process Explorer ( http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx )

Using this, you can see if there is any stray process and also check the network connections they make. If you suspect something, kill the process and see if the mails still queue up.
0
 
LVL 9

Accepted Solution

by:
sda100 earned 250 total points
ID: 17923695
Hi rjgnh1942,

How are/were you connected to the Internet?  It sounds like your SBS server may be configured as an open mail relay.  If you can get any connection at all, try one of these sites to perform an open-relay test on you.

http://www.abuse.net/relay.html
http://www.ordb.org/submit/
http://spamlinks.net/prevent-secure-relay-test.htm

I would install a firewall on your server and block all outgoing on port 25, then ask your ISP to reinstate you so you can trouble-shoot the issue.

I hope this helps,
Steve :)
0
 
LVL 4

Assisted Solution

by:dempsedm
dempsedm earned 250 total points
ID: 17935171
In Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager)
Drill down to First Organization Group, Servers, <Your Server Name>, Protocols, SMTP, Default SMTP Virtual Server

Right-Click on Default SMTP Virtual Server, go to Properties

Choose "Access" tab

Click on "Relay"

You can secure your server by selecting the "only the list below" radio button and entering your local network IP range
If you use your SMTP server outside your network, you may select the checkbox that says "Allow all computers...sucessfully authenticate...".  

Note, once you secure your sever, you will need to set up your SMTP server setting in your mail client to use SMTP authentication.

Hope that helps! I'm new on here!


0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:rjgnh1942
ID: 17935278
Yup,

Didn't take you guys long.

It was being used as a relay agent because I left it wide open.  DUMMMMMBBBBBBBBB!

Steve got it right away.  
Same with Dempsedm.

Thanks guys.

Closed the relay.  Changed the port to 587 and changed ISP's.  This is a small home office and I have my server behind Comcast.  Of course they don't want that so I use DYNDNS and cannot rave about them enough.  They are amazing and their site keeps getting better with more and more tools.  They had tools to tests this and all.  Quite amazing.

Do have Grisoft Server AV on system.  Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops.  DAH!  Scan after scan, online scans, hours of scans, nothing.  That should have been the first hint that it wasn't an infection but DAH!  Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere.  Took me too long to get to that point.

Thanks again so much to all of you!

rjgnh1942
0
 
LVL 4

Expert Comment

by:dempsedm
ID: 17940673
No problem!  I had the same thing happen my first sys admin job out of college.  It was when hijacking relays was kind of a new thing.  It ended up totally bringing down our whole mail server which screwed up all kinds of other things on the LAN since the server was doing other functions.

Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!  
0
 
LVL 9

Expert Comment

by:sda100
ID: 17965472
Quote the author:

> Steve got it right away.  
> Same with Dempsedm.

So that's where I think the points should go.

Steve :)
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
I previously wrote an article addressing the use of UBCD4WIN and SARDU. All are great, but I have always been an advocate of SARDU. Recently it was suggested that I go back and take a look at Easy2Boot in comparison.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now