Solved

SBS sending spam

Posted on 2006-11-11
8
739 Views
Last Modified: 2006-11-21
My SBS 2003 using exchange is generating spam mail and sending it out.  This is a small home office and I have no other machine connected.  I watch the mail que and it keeps adding messages generated by "postmaster.mydomain.com.
I look at the messages and they are all destined for strange domains.  obviously spam stuff.
How do I either find out where this is being generated from and get rid of it, or stop it from happening.  My problem is that my isp has shut me off till I fix.  I have run all kinds of test, Grisoft, Panda, Trend micro, nothing has picked it up.

HELP!

Dick
0
Comment
Question by:rjgnh1942
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 4

Expert Comment

by:v_karthik
ID: 17922858
Try some standard spyware busters like Spybot S&D, Adaware, Norton AV etc. If that doesnt work, you may want to check the processes running on your machine using Process Explorer ( http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx )

Using this, you can see if there is any stray process and also check the network connections they make. If you suspect something, kill the process and see if the mails still queue up.
0
 
LVL 9

Accepted Solution

by:
sda100 earned 250 total points
ID: 17923695
Hi rjgnh1942,

How are/were you connected to the Internet?  It sounds like your SBS server may be configured as an open mail relay.  If you can get any connection at all, try one of these sites to perform an open-relay test on you.

http://www.abuse.net/relay.html
http://www.ordb.org/submit/
http://spamlinks.net/prevent-secure-relay-test.htm

I would install a firewall on your server and block all outgoing on port 25, then ask your ISP to reinstate you so you can trouble-shoot the issue.

I hope this helps,
Steve :)
0
 
LVL 4

Assisted Solution

by:dempsedm
dempsedm earned 250 total points
ID: 17935171
In Exchange System Manager (Start, All Programs, Microsoft Exchange, System Manager)
Drill down to First Organization Group, Servers, <Your Server Name>, Protocols, SMTP, Default SMTP Virtual Server

Right-Click on Default SMTP Virtual Server, go to Properties

Choose "Access" tab

Click on "Relay"

You can secure your server by selecting the "only the list below" radio button and entering your local network IP range
If you use your SMTP server outside your network, you may select the checkbox that says "Allow all computers...sucessfully authenticate...".  

Note, once you secure your sever, you will need to set up your SMTP server setting in your mail client to use SMTP authentication.

Hope that helps! I'm new on here!


0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 

Author Comment

by:rjgnh1942
ID: 17935278
Yup,

Didn't take you guys long.

It was being used as a relay agent because I left it wide open.  DUMMMMMBBBBBBBBB!

Steve got it right away.  
Same with Dempsedm.

Thanks guys.

Closed the relay.  Changed the port to 587 and changed ISP's.  This is a small home office and I have my server behind Comcast.  Of course they don't want that so I use DYNDNS and cannot rave about them enough.  They are amazing and their site keeps getting better with more and more tools.  They had tools to tests this and all.  Quite amazing.

Do have Grisoft Server AV on system.  Also, what ya all may find interesting is my first course of action was to go looking for the infection on both server and desktops.  DAH!  Scan after scan, online scans, hours of scans, nothing.  That should have been the first hint that it wasn't an infection but DAH!  Anyway, that's what I wanted to pass on, if you do a scan or two and nothing, you might want to change approach and look elsewhere.  Took me too long to get to that point.

Thanks again so much to all of you!

rjgnh1942
0
 
LVL 4

Expert Comment

by:dempsedm
ID: 17940673
No problem!  I had the same thing happen my first sys admin job out of college.  It was when hijacking relays was kind of a new thing.  It ended up totally bringing down our whole mail server which screwed up all kinds of other things on the LAN since the server was doing other functions.

Be sure that once you close that relay, to resubmit your sever to the spam filter people for testing so they will remove you from their black lists!  
0
 
LVL 9

Expert Comment

by:sda100
ID: 17965472
Quote the author:

> Steve got it right away.  
> Same with Dempsedm.

So that's where I think the points should go.

Steve :)
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
A list of useful business intelligence software.
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.
Viewers will learn how to use the Hootsuite Dashboard.

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question