Finding internal workstation relaying spam through exchange

Posted on 2007-07-31
Last Modified: 2010-03-06
Our SBS2003 server has been sending out spam. It doesn't appear to be an external relay issue, as I've run a battery of tests as well as fixed the reverse NDR issue from many months back.

With message tracking I can see the individual messages, but it doesn't identify what workstation they're coming from. Assuming this is a rogue workstation, is there a way to identify the internal IP from Exchange message tracking?
Question by:jpresto
    LVL 10

    Expert Comment

    You might be able to use netstat to look for open SMTP connections from internal IPs.
    LVL 19

    Expert Comment

    It's rare that spam relays through your Exchange server (from internal sources), it normally goes straight out the firewall via port 25 if allowed...

    With that said, the message tracking logs are stored by default at <system drive>\Program Files\Exchsrvr\<ServerName>.log\xxxxx

    If you import those text files into Excel you'll be able to see some of the IP address info.
    LVL 104

    Expert Comment

    If your server is sending out spam then it is usually obvious as there will be lots of bogus email messages in the queues - unless you are using a smart host.
    As already pointed out, spammers do not use another server on the network to bounce email through.
    The most common attack is against the administrator account for authenticated relaying. Therefore I would strongly suggest that you change the administrator account and consider securing authenticated relaying on the server.


    Author Comment

    So I had a look at the message logs. All the bogus emails had:

    a "client-ip" with an external ip
    a "client-hostname" of User

    So - is "User" an actual user or a generic identifier?

    If all external users are through rpc-over-http, can I disable everything but anonymous auth so that no one can use it as an external relay? And change passwords, of course.
    LVL 104

    Accepted Solution

    If you have no use for SMTP relaying through the server (so no Outlook Express clients, applications sending email etc) then you can disable all authenticated relaying.
    Do not disable authentication types on the SMTP virtual server, as that can cause problems with Exchange. Instead inside the SMTP Virtual Server properties adjust the relay settings so that the option to allow all users who authenticate to relay, is disabled.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free book by J.Peter Bruzzese, Microsoft MVP

    Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

    Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now