Solved

SBS sending spam

Posted on 2006-11-11
8
738 Views
Last Modified: 2006-11-21
My SBS 2003 using exchange is generating spam mail and sending it out.  This is a small home office and I have no other machine connected.  I watch the mail que and it keeps adding messages generated by "postmaster.mydomain.com.
I look at the messages and they are all destined for strange domains.  obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening.  My problem is that my isp has shut me off till I fix.  I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.

HELP!

Dick
0
Comment
Question by:rjgnh1942
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Expert Comment

by:v_karthik
ID: 17922858
Try some standard spyware busters like Spybot S&D, Adaware, Norton AV etc. If that doesnt work, you may want to check the processes running on your machine using Process Explorer ( http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx )

Using this, you can see if there is any stray process and also check the network connections they make. If you suspect something, kill the process and see if the mails still queue up.
0
 
LVL 9

Accepted Solution

by:
sda100 earned 250 total points
ID: 17923695
Hi rjgnh1942,

How are/were you connected to the Internet?  It sounds like your SBS server may be configured as an open mail relay.  If you can get any connection at all, try one of these sites to perform an open-relay test on you.

http://www.abuse.net/relay.html
http://www.ordb.org/submit/
http://spamlinks.net/prevent-secure-relay-test.htm

I would install a firewall on your server and block all outgoing on port 25, then ask your ISP to reinstate you so you can trouble-shoot the issue.

I hope this helps,
Steve :)
0
 
LVL 4

Assisted Solution

by:dempsedm
dempsedm earned 250 total points
ID: 17935171
In Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager)
Drill down to First Organization Group, Servers, <Your Server Name>, Protocols, SMTP, Default SMTP Virtual Server

Right-Click on Default SMTP Virtual Server, go to Properties

Choose "Access" tab

Click on "Relay"

You can secure your server by selecting the "only the list below" radio button and entering your local network IP range
If you use your SMTP server outside your network, you may select the checkbox that says "Allow all computers...sucessfully authenticate...".  

Note, once you secure your sever, you will need to set up your SMTP server setting in your mail client to use SMTP authentication.

Hope that helps! I'm new on here!


0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:rjgnh1942
ID: 17935278
Yup,

Didn't take you guys long.

It was being used as a relay agent because I left it wide open.  DUMMMMMBBBBBBBBB!

Steve got it right away.  
Same with Dempsedm.

Thanks guys.

Closed the relay.  Changed the port to 587 and changed ISP's.  This is a small home office and I have my server behind Comcast.  Of course they don't want that so I use DYNDNS and cannot rave about them enough.  They are amazing and their site keeps getting better with more and more tools.  They had tools to tests this and all.  Quite amazing.

Do have Grisoft Server AV on system.  Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops.  DAH!  Scan after scan, online scans, hours of scans, nothing.  That should have been the first hint that it wasn't an infection but DAH!  Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere.  Took me too long to get to that point.

Thanks again so much to all of you!

rjgnh1942
0
 
LVL 4

Expert Comment

by:dempsedm
ID: 17940673
No problem!  I had the same thing happen my first sys admin job out of college.  It was when hijacking relays was kind of a new thing.  It ended up totally bringing down our whole mail server which screwed up all kinds of other things on the LAN since the server was doing other functions.

Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!  
0
 
LVL 9

Expert Comment

by:sda100
ID: 17965472
Quote the author:

> Steve got it right away.  
> Same with Dempsedm.

So that's where I think the points should go.

Steve :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can not delete, remove this shortcut, file 4 39
Denali Software 2 73
Veriface disable 2 38
Supermicro 91 error 8 61
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question