troubleshooting Question

Spammer using my exchange server... no open relay.

Avatar of sakarmike
sakarmike asked on
Exchange
5 Comments1 Solution979 ViewsLast Modified:
I am running MS Exchange Server 2003 on windows Server 2003.

Starting last week, the daily log files in c:\program files\exchsvr\exchange.log\  (incidentally, our sever's name is EXCHANGE... original, i know) have been growing ridiculously fast.  From under 20 MB normally to over a gig.

Upon investigation, it seems a tremendous amount of spam has been going out.

According to http://www.abuse.net/relay.html , I have all relaying blocked except for relay test 6.  I've researched and it seems this is normal for exchange.  Just a MS quirk.

I have Symantec Mail Security for Exchange installed and have spamhaus listed as my RBL server.

I have port 25 blocked for all computers except the exchange server in my firewall.

I can't figure out how to stop the spammer.  Please help!  Thanks.  Below is a snippet of log for your consideration.

# Message Tracking Log File
# Exchange System Attendant Version 6.5.7638.1
# Date      Time      client-ip      Client-hostname      Partner-Name      Server-hostname      server-IP      Recipient-Address      Event-ID      MSGID      Priority      Recipient-Report-Status      total-bytes      Number-Recipients      Origination-Time      Encryption      service-Version      Linked-MSGID      Message-Subject      Sender-Address


2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunombre@blogdiario.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunnelratmusic@yahoo.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunnelm@aol.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunodi@gerogoxe.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunombre@datafull.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunombre@guanacosenlinea.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunombre@escolar.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunombre@mundopoesia.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunnelrat114@msn.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
2007-10-24      22:13:15 GMT      64.119.131.178      User      cumeils.prima.com.ar      EXCHANGE      192.168.1.16      tunombre@betarecords.com      1031      EXCHANGE1D15MHJJIBi00000650@exchange.intranet4.sakar.com      1      0      2126      10      2007-10-24 18:22:30 GMT      0      Version: 6.0.3790.1830      -      -      service@gtefcu.org      -
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 5 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 5 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros