I'm about ready to pull my hair out on this one. Hopefully one of the Experts will have some insight for me.
The situation is thus:
One of the legacy applications my company uses makes uses of the anonymous relay functionality of Exchange.
Until recently, this hadn't been a problem, but for some reason, recently our email server has been getting hammered sending spam, mainly to the yahoo.com.tw domain.
This has been composed of both outbound mail to these domains as well as NDRs.
To date, I've used the SMTP and message logging functions within Exchange. The message logging indicates external IPs being the source of all the spam in our SMTP queues, but logging / blocking all traffic from those IPs doesn't show anything at all.
My firewall settings (below) look clean to me, as well as my coworkers.
Original Src Translated Src Original Dst Translated Dst Original Svc Translated Svc Inbound IF Outbound IF
EDocs Servers Original SBC Mail External SBC Mail Internal SB Email Services Original Any Any
Any WAN Interface IP <Web Site Public> <Web Site Private> HTTP/S Original X0 Any
<Web Site Private> <Web Site Public> Any Original HTTP/S Original Any X1
<Mail Internal> <Mail External> Any Original HTTP/S Original Any Any
Any Original <Web Page Public> <Web Page Private> HTTP/S Original Any Any
Any Original SBC Mail External SBC Mail Internal EDocs Services Original Any Any
Any WAN Primary IP Any Original Any Original X0 X1
WAN -> LAN
Src Dst Service
Any <Web Page Public> HTTP/S Allow
EDocs Servers <Mail External> SMTP/POP3 Allow
Any <Mail External> HTTP/S Allow
Any Any Any Discard All
I think my firewall settings are fine and that I have something nasty running around inside my network.
We're running Symantec AV 10 Corporate on all of our systems. I've audited the network looking for unprotected systems and the only things found were linux servers, routers, printers and IP phones - all of my Windows boxes show as having the managed client installed. I've pushed out updated virus definitions from the Symantec console and run numerous virus sweeps, but the problem persists.
How can I find what is generating all this spam mail being sent through an anonymous account with believed to be spoofed source addresses and put a stop to it?