Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1198
  • Last Modified:

Finding internal workstation relaying spam through exchange

Our SBS2003 server has been sending out spam. It doesn't appear to be an external relay issue, as I've run a battery of tests as well as fixed the reverse NDR issue from many months back.

With message tracking I can see the individual messages, but it doesn't identify what workstation they're coming from. Assuming this is a rogue workstation, is there a way to identify the internal IP from Exchange message tracking?
1 Solution
You might be able to use netstat to look for open SMTP connections from internal IPs.
It's rare that spam relays through your Exchange server (from internal sources), it normally goes straight out the firewall via port 25 if allowed...

With that said, the message tracking logs are stored by default at <system drive>\Program Files\Exchsrvr\<ServerName>.log\xxxxx

If you import those text files into Excel you'll be able to see some of the IP address info.
If your server is sending out spam then it is usually obvious as there will be lots of bogus email messages in the queues - unless you are using a smart host.
As already pointed out, spammers do not use another server on the network to bounce email through.
The most common attack is against the administrator account for authenticated relaying. Therefore I would strongly suggest that you change the administrator account and consider securing authenticated relaying on the server.

jprestoAuthor Commented:
So I had a look at the message logs. All the bogus emails had:

a "client-ip" with an external ip
a "client-hostname" of User

So - is "User" an actual user or a generic identifier?

If all external users are through rpc-over-http, can I disable everything but anonymous auth so that no one can use it as an external relay? And change passwords, of course.
If you have no use for SMTP relaying through the server (so no Outlook Express clients, applications sending email etc) then you can disable all authenticated relaying.
Do not disable authentication types on the SMTP virtual server, as that can cause problems with Exchange. Instead inside the SMTP Virtual Server properties adjust the relay settings so that the option to allow all users who authenticate to relay, is disabled.


Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now