Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to determine source of spam?

Posted on 2007-11-15
11
Medium Priority
?
323 Views
Last Modified: 2013-11-30
I have a 2000 Microsoft small business server running Exchange 2000 with latest patches.  There are about 30 clients.  I am seeing spam messages in the outbound queues and am unable to determine the origin.  Relaying is off and 25 is closed except from our filtering service, so the problem is most likely internal.  Short of powering off all the computer and turning them back on one by one, does anyone have a suggestion?
0
Comment
Question by:rjccaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 10

Accepted Solution

by:
abraham808 earned 375 total points
ID: 20291787
Look at the Email headers for clues.
0
 

Author Comment

by:rjccaz
ID: 20291820
Is there a way to view the headers directly from Exchange?  Keep in mind that I don't know which (or IF a) client is causing the messages, so cannot open the messages from Outlook.

Thanks!
0
 
LVL 12

Assisted Solution

by:David Scott, MCSE
David Scott, MCSE earned 750 total points
ID: 20292428
Yes, double click the queue (smtp connector i'm assuming) and then click find now and it will show all the messages in the queue.  double click one of the messages and it will show you the header
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:rjccaz
ID: 20292569
Ah-ha!  We might be on to something...  I got an error, says "Enumerate messages from the queue node"

After enumerating the messages, it appears that all these messages are from  "postmaster@(MY_DOMAIN).com

Still unsure as to the original source and what to do about them...  Any ideas?
0
 
LVL 12

Assisted Solution

by:David Scott, MCSE
David Scott, MCSE earned 750 total points
ID: 20292778
its probably ndrs from your postmaster account from spammers doing "directory harvesting" they send to endless combos of names@yourdomain.com and when the program doesn't get an ndr it knows it a vaild email address then it starts sending spam to it.

to stop this.  you have to check an option to "filter recipient not in the directory"  

go to ESM, global settings, right click message delivery, properties, recipient filtering, put a check in "filter recipients who are not in the directory" this will block emails that are sent to anyone@yourdomain.com that doesn't have a mailbox.  Your server won't send an ndr, just will block it and force their server to do the ndr.
0
 

Author Comment

by:rjccaz
ID: 20292913
Opie,
I would agree, but I see no option for this, probably because this is Exchange 2000.  Not only that, but the initial symptom was a returned email warning that spam may be being generated on our network and it was more than just an NDR.  This original notification was sent from an AOL account and included the following:

Return-Path: <dispute-paypal.com@(MY_DOMAIN).com>
Received: from rly-ma06.mx.aol.com (rly-ma06.mail.aol.com [172.20.116.50]) by air-ma05.mail.aol.com (v120.9) with ESMTP id MAILINMA053-8b04735f1a735e; Sat, 10 Nov 2007 13:00:13 -0400
Received: from server.(MY_DOMAIN).local ((MY_ISP)]) by rly-ma06.mx.aol.com (v120.9) with ESMTP id MAILRELAYINMA062-8b04735f1a735e; Sat, 10 Nov 2007 13:00:08 -0400
Received: from User ([71.36.31.249]) by server.(MY_DOMAIN).local with Microsoft SMTPSVC(5.0.2195.6713);
Fri, 9 Nov 2007 13:05:22 -0700
Reply-To: <dispute-paypal.com>
From: "PayPal"<dispute-paypal.com>
Subject: Receipt for Your Payment
Date: Fri, 9 Nov 2007 12:54:44 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <SERVERyuqr60g1XbIv10000045a@server.(MY_DOMAIN).local>
X-OriginalArrivalTime: 09 Nov 2007 20:05:22.0368 (UTC) FILETIME=[DC0F9400:01C8230B]
X-AOL-IP: (MY_IP)
X-AOL-SCOLL-SCORE:1:2:447414272:9395240
X-AOL-SCOLL-URL_COUNT:
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_helo :
X-AOL-SCOLL-AUTHENTICATION: listenair ; SPF_822_from :
0
 
LVL 104

Assisted Solution

by:Sembee
Sembee earned 375 total points
ID: 20294442
There is no recipient filtering in Exchange 2000. If you are under that kind of attack you will have to go third party. Vamsoft ORF can do recipient filtering it will also do the tar pit which you need as well.

Simon.
0
 
LVL 12

Expert Comment

by:David Scott, MCSE
ID: 20297856
i wish there different zones for sbs 2000 and 2003 and exchange 2000 and 2003.  

0
 
LVL 104

Expert Comment

by:Sembee
ID: 20297866
Why? The information is in the original question that it was SBS 2000.

Simon.
0
 
LVL 12

Expert Comment

by:David Scott, MCSE
ID: 20297948
b/c if there were separate zones for the different versions i would not be looking at questions in sbs 2000 or exchange 2000.  

i mean there is different zones for windows 2000, xp, 2003, etc

why not exchange and sbs?  
0
 

Author Comment

by:rjccaz
ID: 20301389
Well, I believe I have found the issue.  Appearantly, these are all NDR's.  I had considered that possibility, but was thrown by the fact that they were still appearing.  I have read that it is normal for the NDR messages to continue to appear for upto 48 hours after the initial problem is resolved.  For now, I think my problem is solved.  Thanks for all who helped!

http://support.microsoft.com/kb/886208 for Exchange 2003
http://support.microsoft.com/kb/909005/en-us for Exchange 2000 or 2003
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question