rjgnh1942
asked on
SBS sending spam
My SBS 2003 using exchange is generating spam mail and sending it out. This is a small home office and I have no other machine connected. I watch the mail que and it keeps adding messages generated by "postmaster.mydomain.com.
I look at the messages and they are all destined for strange domains. obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening. My problem is that my isp has shut me off till I fix. I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.
HELP!
Dick
I look at the messages and they are all destined for strange domains. obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening. My problem is that my isp has shut me off till I fix. I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.
HELP!
Dick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yup,
Didn't take you guys long.
It was being used as a relay agent because I left it wide open. DUMMMMMBBBBBBBBB!
Steve got it right away.
Same with Dempsedm.
Thanks guys.
Closed the relay. Changed the port to 587 and changed ISP's. This is a small home office and I have my server behind Comcast. Of course they don't want that so I use DYNDNS and cannot rave about them enough. They are amazing and their site keeps getting better with more and more tools. They had tools to tests this and all. Quite amazing.
Do have Grisoft Server AV on system. Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops. DAH! Scan after scan, online scans, hours of scans, nothing. That should have been the first hint that it wasn't an infection but DAH! Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere. Took me too long to get to that point.
Thanks again so much to all of you!
rjgnh1942
Didn't take you guys long.
It was being used as a relay agent because I left it wide open. DUMMMMMBBBBBBBBB!
Steve got it right away.
Same with Dempsedm.
Thanks guys.
Closed the relay. Changed the port to 587 and changed ISP's. This is a small home office and I have my server behind Comcast. Of course they don't want that so I use DYNDNS and cannot rave about them enough. They are amazing and their site keeps getting better with more and more tools. They had tools to tests this and all. Quite amazing.
Do have Grisoft Server AV on system. Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops. DAH! Scan after scan, online scans, hours of scans, nothing. That should have been the first hint that it wasn't an infection but DAH! Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere. Took me too long to get to that point.
Thanks again so much to all of you!
rjgnh1942
No problem! I had the same thing happen my first sys admin job out of college. It was when hijacking relays was kind of a new thing. It ended up totally bringing down our whole mail server which screwed up all kinds of other things on the LAN since the server was doing other functions.
Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!
Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!
Quote the author:
> Steve got it right away.
> Same with Dempsedm.
So that's where I think the points should go.
Steve :)
> Steve got it right away.
> Same with Dempsedm.
So that's where I think the points should go.
Steve :)
Using this, you can see if there is any stray process and also check the network connections they make. If you suspect something, kill the process and see if the mails still queue up.