[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 338
  • Last Modified:

Exchange 2003 server sending large quantities of junkmail but is not an open relay

I have just installed Windows 2003 Small Business Server R2 with service pack 2 and set up Exchange Server 2003 with Service Pack 2.

The domain is a private name and I have set up SMTP on the Exchange server.
It sends SMTP mail direct to the Internet using the SmallBusiness SMTP connector.
It receives mail from a public IP that is NAT translated behind a firewall.
It all works fine and I have tested it externally to check that it does not allow relaying (over a dozen different tests) an is okay.
I have turned off Non Delivery Reports and only recipients in the domain can receive mail.

My problem is that the server is sending out very large quantities of junkmail to other people and I can't seem to see where it is coming from or how to stop it.
There are currently over 1500 queues at the moment and 99% of them are junk.

The other day it was so bad that the exchange server stopped receiving mail because the queue had reached nearly 100,000 messages.

Anybody any ideas, I don't think it has been hacked, is it a virus or what?
0
DaveW2000
Asked:
DaveW2000
1 Solution
 
Dave_ANDCommented:
Have you checked this with all the workstaions off? it maybe on a clients PC rather than yours, and those clients can relay as they are local to the server. clear the queues with all the PCs off, and then monitor the queues, if they dont grow then you then need to check all your PCs.
0
 
v2MediaCommented:
Have you scanned the desktop clients for malware & viruses with something more effective than nortons or trend micro?

I experienced a similar problem, turned out to be malware and trojans on a laptop running trend micro (dell trialware). AVG picked out the culprits and the spam problem was solved.
0
 
ormerodrutterCommented:
I agree with v2Media it is very much likely to be client workstations/laptops that are infected and sending out spam. Run the latest AV on ALL workstations.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
SembeeCommented:
If the messages are in the queues of the Exchange server then I have to disagree with the above. It is almost certainly NOT an infected client. Infected clients have their own SMTP engine to send out email.

It is probably one of two.
1. NDR spam
2. Authenticated user.

Start with my spam cleanup article: http://www.amset.info/exchange/spam-cleanup.asp 
That will help you clean up the server and identify the source of the spam.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
DaveW2000Author Commented:
Hi Sembee,
I am now cleaning the clients anyway as a precution.

How do I check for an Authenticated User?
0
 
DaveW2000Author Commented:
Hi Sembee,

Came across your article earlier, had done some of it.
Went though it again carefully, now waiting to see if it has done the trick.

Finished scanning all client machines very thoroughly for viruses and spyware etc, nothing found at all except the odd cookie, even on the server.
0
 
SembeeCommented:
If it is authenticated user attack there is only one account ever attacked - the administrator account. Therefore if you haven't already then you need to change the administrator account password and then lock down authenticated relaying so that the administrator account cannot be used. If you don't need authenticated relaying then turn it of.

Simon.

--
If your question has been answered, pleased remember to accept the answer and close the question.
0
 
DaveW2000Author Commented:
Hi sembee,

Could not see any 1708's in the log for authenticated relaying, however I did remove the server itself from being able to do authenticated relaying by removing the 127,0,0,1 and the server's own private address and also changed the Administrator's password.  I also changed public IP address of the mail server.

The activity has appeared to have stopped but I can't really say what I think has stopped it.
My feeling is either removing the authenticated relaying ability from the server and/or allowing mail in to Active Directory users only is the most likely reason it has stopped, comments from you would be appreciated, before I award you all the points, (your site is excellent and you deserve the MVP).
0
 
SembeeCommented:
You don't need 127.0.0.1 in the relay list, nor your own subnet for Exchange to work correctly. Depending on your firewall having the subnet listed can turn the machine in to an open relay as it sees the firewall traffic as internal.

You need to watch the queues for further messages building - that will show if the server is still being abused or not.

Simon.

--
If your question has been answered, please remember to accept the answer and close the question.
0
 
DaveW2000Author Commented:
Sorry for the delay in awarding points.
No further successful attacks have happened, although looking in the event log, as I am still monitoring exchange, it's not for the want of trying, the server is constantly attacked everyday but unsuccessfully.
I would recommend everybody read Sembee's article listed above and lock down their exchange server.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now