SBS sending spam

My SBS 2003 using exchange is generating spam mail and sending it out.  This is a small home office and I have no other machine connected.  I watch the mail que and it keeps adding messages generated by "postmaster.mydomain.com.
I look at the messages and they are all destined for strange domains.  obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening.  My problem is that my isp has shut me off till I fix.  I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.

HELP!

Dick
rjgnh1942Asked:
Who is Participating?
 
sda100Connect With a Mentor Commented:
Hi rjgnh1942,

How are/were you connected to the Internet?  It sounds like your SBS server may be configured as an open mail relay.  If you can get any connection at all, try one of these sites to perform an open-relay test on you.

http://www.abuse.net/relay.html
http://www.ordb.org/submit/
http://spamlinks.net/prevent-secure-relay-test.htm

I would install a firewall on your server and block all outgoing on port 25, then ask your ISP to reinstate you so you can trouble-shoot the issue.

I hope this helps,
Steve :)
0
 
v_karthikCommented:
Try some standard spyware busters like Spybot S&D, Adaware, Norton AV etc. If that doesnt work, you may want to check the processes running on your machine using Process Explorer ( http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx )

Using this, you can see if there is any stray process and also check the network connections they make. If you suspect something, kill the process and see if the mails still queue up.
0
 
dempsedmConnect With a Mentor Commented:
In Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager)
Drill down to First Organization Group, Servers, <Your Server Name>, Protocols, SMTP, Default SMTP Virtual Server

Right-Click on Default SMTP Virtual Server, go to Properties

Choose "Access" tab

Click on "Relay"

You can secure your server by selecting the "only the list below" radio button and entering your local network IP range
If you use your SMTP server outside your network, you may select the checkbox that says "Allow all computers...sucessfully authenticate...".  

Note, once you secure your sever, you will need to set up your SMTP server setting in your mail client to use SMTP authentication.

Hope that helps! I'm new on here!


0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
rjgnh1942Author Commented:
Yup,

Didn't take you guys long.

It was being used as a relay agent because I left it wide open.  DUMMMMMBBBBBBBBB!

Steve got it right away.  
Same with Dempsedm.

Thanks guys.

Closed the relay.  Changed the port to 587 and changed ISP's.  This is a small home office and I have my server behind Comcast.  Of course they don't want that so I use DYNDNS and cannot rave about them enough.  They are amazing and their site keeps getting better with more and more tools.  They had tools to tests this and all.  Quite amazing.

Do have Grisoft Server AV on system.  Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops.  DAH!  Scan after scan, online scans, hours of scans, nothing.  That should have been the first hint that it wasn't an infection but DAH!  Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere.  Took me too long to get to that point.

Thanks again so much to all of you!

rjgnh1942
0
 
dempsedmCommented:
No problem!  I had the same thing happen my first sys admin job out of college.  It was when hijacking relays was kind of a new thing.  It ended up totally bringing down our whole mail server which screwed up all kinds of other things on the LAN since the server was doing other functions.

Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!  
0
 
sda100Commented:
Quote the author:

> Steve got it right away.  
> Same with Dempsedm.

So that's where I think the points should go.

Steve :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.