We help IT Professionals succeed at work.
Get Started

Stop outbound spam with anonymous relay enabled

timbrigham
timbrigham asked
on
1,624 Views
Last Modified: 2008-01-09
I'm about ready to pull my hair out on this one. Hopefully one of the Experts will have some insight for me.

The situation is thus:
One of the legacy applications my company uses makes uses of the anonymous relay functionality of Exchange.
Until recently, this hadn't been a problem, but for some reason, recently our  email server has been getting hammered sending spam, mainly to the yahoo.com.tw domain.
This has been composed of both outbound mail to these domains as well as NDRs.
To date, I've used the SMTP and message logging functions within Exchange. The message logging indicates external IPs being the source of all the spam in our SMTP queues, but logging / blocking all traffic from those IPs doesn't show anything at all.

My firewall settings (below) look clean to me, as well as my coworkers.

NAT Policies:
Original Src      Translated Src      Original Dst      Translated Dst      Original Svc      Translated Svc      Inbound IF      Outbound IF      
EDocs Servers      Original      SBC Mail External      SBC Mail Internal      SB Email Services      Original      Any      Any      
Any      WAN Interface IP      <Web Site Public>      <Web Site Private>      HTTP/S      Original      X0      Any      
<Web Site Private>      <Web Site Public>      Any      Original      HTTP/S      Original      Any      X1                   
<Mail Internal>      <Mail External>      Any      Original      HTTP/S      Original      Any      Any      
Any      Original      <Web Page Public>      <Web Page Private>      HTTP/S      Original      Any      Any      
Any      Original      SBC Mail External      SBC Mail Internal      EDocs Services      Original      Any       Any      
Any      WAN Primary IP      Any      Original      Any      Original      X0      X1      


Firewall Policies:
WAN -> LAN
Src      Dst      Service      
Any      <Web Page Public>      HTTP/S      Allow                          
EDocs Servers      <Mail External>      SMTP/POP3      Allow      
Any      <Mail External>      HTTP/S      Allow      
Any      Any      Any      Discard      All


I think my firewall settings are fine and that I have something nasty running around inside my network.
We're running Symantec AV 10 Corporate on all of our systems. I've audited the network looking for unprotected systems and the only things found were linux servers, routers, printers and IP phones - all of my Windows boxes show as having the managed client installed. I've pushed out updated virus definitions from the Symantec console and run numerous virus sweeps, but the problem persists.

How can I find what is generating all this spam mail being sent through an anonymous account with believed to be spoofed source addresses and put a stop to it?
Comment
Watch Question
Commented:
This problem has been solved!
Unlock 1 Answer and 6 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE