How to determine source of spam?
I have a 2000 Microsoft small business server running Exchange 2000 with latest patches. There are about 30 clients. I am seeing spam messages in the outbound queues and am unable to determine the origin. Relaying is off and 25 is closed except from our filtering service, so the problem is most likely internal. Short of powering off all the computer and turning them back on one by one, does anyone have a suggestion?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ah-ha! We might be on to something... I got an error, says "Enumerate messages from the queue node"
After enumerating the messages, it appears that all these messages are from "postmaster@(MY_DOMAIN).co
Still unsure as to the original source and what to do about them... Any ideas?
After enumerating the messages, it appears that all these messages are from "postmaster@(MY_DOMAIN).co
Still unsure as to the original source and what to do about them... Any ideas?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Opie,
I would agree, but I see no option for this, probably because this is Exchange 2000. Not only that, but the initial symptom was a returned email warning that spam may be being generated on our network and it was more than just an NDR. This original notification was sent from an AOL account and included the following:
Return-Path: <dispute-paypal.com@(MY_DO
Received: from rly-ma06.mx.aol.com (rly-ma06.mail.aol.com [172.20.116.50]) by air-ma05.mail.aol.com (v120.9) with ESMTP id MAILINMA053-8b04735f1a735e
Received: from server.(MY_DOMAIN).local ((MY_ISP)]) by rly-ma06.mx.aol.com (v120.9) with ESMTP id MAILRELAYINMA062-8b04735f1
Received: from User ([71.36.31.249]) by server.(MY_DOMAIN).local with Microsoft SMTPSVC(5.0.2195.6713);
Fri, 9 Nov 2007 13:05:22 -0700
Reply-To: <dispute-paypal.com>
From: "PayPal"<dispute-paypal.co
Subject: Receipt for Your Payment
Date: Fri, 9 Nov 2007 12:54:44 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding:
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVERyuqr60g1XbIv1000004
X-OriginalArrivalTime: 09 Nov 2007 20:05:22.0368 (UTC) FILETIME=[DC0F9400:01C8230
X-AOL-IP: (MY_IP)
X-AOL-SCOLL-SCORE:1:2:4474
X-AOL-SCOLL-URL_COUNT:
X-AOL-SCOLL-AUTHENTICATION
X-AOL-SCOLL-AUTHENTICATION
I would agree, but I see no option for this, probably because this is Exchange 2000. Not only that, but the initial symptom was a returned email warning that spam may be being generated on our network and it was more than just an NDR. This original notification was sent from an AOL account and included the following:
Return-Path: <dispute-paypal.com@(MY_DO
Received: from rly-ma06.mx.aol.com (rly-ma06.mail.aol.com [172.20.116.50]) by air-ma05.mail.aol.com (v120.9) with ESMTP id MAILINMA053-8b04735f1a735e
Received: from server.(MY_DOMAIN).local ((MY_ISP)]) by rly-ma06.mx.aol.com (v120.9) with ESMTP id MAILRELAYINMA062-8b04735f1
Received: from User ([71.36.31.249]) by server.(MY_DOMAIN).local with Microsoft SMTPSVC(5.0.2195.6713);
Fri, 9 Nov 2007 13:05:22 -0700
Reply-To: <dispute-paypal.com>
From: "PayPal"<dispute-paypal.co
Subject: Receipt for Your Payment
Date: Fri, 9 Nov 2007 12:54:44 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding:
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVERyuqr60g1XbIv1000004
X-OriginalArrivalTime: 09 Nov 2007 20:05:22.0368 (UTC) FILETIME=[DC0F9400:01C8230
X-AOL-IP: (MY_IP)
X-AOL-SCOLL-SCORE:1:2:4474
X-AOL-SCOLL-URL_COUNT:
X-AOL-SCOLL-AUTHENTICATION
X-AOL-SCOLL-AUTHENTICATION
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
i wish there different zones for sbs 2000 and 2003 and exchange 2000 and 2003.
Why? The information is in the original question that it was SBS 2000.
Simon.
Simon.
b/c if there were separate zones for the different versions i would not be looking at questions in sbs 2000 or exchange 2000.
i mean there is different zones for windows 2000, xp, 2003, etc
why not exchange and sbs?
i mean there is different zones for windows 2000, xp, 2003, etc
why not exchange and sbs?
ASKER
Well, I believe I have found the issue. Appearantly, these are all NDR's. I had considered that possibility, but was thrown by the fact that they were still appearing. I have read that it is normal for the NDR messages to continue to appear for upto 48 hours after the initial problem is resolved. For now, I think my problem is solved. Thanks for all who helped!
http://support.microsoft.com/kb/886208 for Exchange 2003
http://support.microsoft.com/kb/909005/en-us for Exchange 2000 or 2003
http://support.microsoft.com/kb/886208 for Exchange 2003
http://support.microsoft.com/kb/909005/en-us for Exchange 2000 or 2003
ASKER
Thanks!