Link to home
Start Free TrialLog in
Avatar of harleys
harleys

asked on

Spam being sent from my exchange server, how do I find its source?

My organization has a Windows Server 2003 (SBS) and uses Exchange 2003.

We are receiving complaints from our ISP that spam is being sent out from our IP.  I found in my System Manager's Server Queue thousands of entries from SmallBusiness SMTP Connector.

Now, I see no incoming connections (from the internet OR the LAN) to port 25 on the Exchange server.

We're thinking that one of the local workstations which uses Outlook 2003 to connect to the Exchange server is infected with some sort of a virus, but we have no way of tracking the information.

Is there a way I can view which LAN ip initiated the message given it's message ID?  Is there some other way I can track down the source?
Avatar of kjanicke
kjanicke
Flag of United States of America image

Did your ISP provide the headers of the email?

TUrn on SMTP logging on the exchange server to track where mail is coming from.  Be careful tho.  Those logs can fill up pretty fast and they go to the IIS folders.

http://www.msexchange.org/tutorials/Logging_the_SMTP_Service.html

There may be some clues in the event logs too.
Avatar of harleys
harleys

ASKER

The headers were not useful.  It only said that it was coming from my Exchange server.

I don't believe SMTP logging can be helpful in this situation if the messages are originating from an Exchange client (as they do not use SMTP to send mail ... go figure).
Turn on mailbox logging then to capture what is being sent out or to see if any account is accessing a mailbox that is not their primary mailbox.

If you track some of the outgoing mail does it say which mailbox it is coming from?  

Do you have a symantec management console?  Or some sort of virus scanner to check workstations?
ASKER CERTIFIED SOLUTION
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You might have a opened relay. Please dissalow relay from your mail server and make sure all computers are virus/spyware free.

Check the mail log and track any suspicious email. You might get the source by the looking at the first "from" line.


Hope this helps

Please let us know how it goes

Regards,
Richard