Hi Folks --
Here's a very strange SPAM scenario.
My Exchange server version 6.5 sp 2 has been plagued with spam for days now. The behavior is very random I am positive our server is NOT an open relay as I have checked it @ dnsgoodies.com and several other sites like it. I am trying to figure out just where this spam is coming from. It seems to still be hitting the queues and our Symantec Brightmail Anti Spam Filter even though I have blocked port 25 on the sonicwall for all machines other than the server. When our Symantec Spam Filter gets clogged it causes delays in emails getting to phones etc. which is a big problem.
I can disable Authenticated relay alltogether; and still sit there and watch messages coming into the Message tracking center at an alarming rate. Almost all of them are from completely strange email addresses with your typical spam subjects i.e. penis enlargement etc.. etc.. but some say the sender is fake email addresses at our domain.com, i.e... email@example.com -- of course spamidiot is not a user in our directory. I'm beginning to think the exploitation is on the server. There was no anti-virus installed on this server when I came to it. I am convincing the client to buy anti virus for the machine. In the meantime I installed ClamWin and ran a scan which reported no viruses. I also ran hijack this which did find something funky. 2 instances of svchost running from Program Files\Internet Explorer,
O23 - Service: Window Domain Services (windowndns) - Unknown owner - C:\Program Files\Internet Explorer\svchost.exe
C:\Program Files\Internet Explorer\svchost.exe
When I try to check the "023" for removal in Hijackthis it says it has removed it, and it always comes right back.
Is a virus on the server generating these messages? How can I tell just where they are coming from?
The logs dont really seem to say -- I can provide them if necessary.
2 other things I have done 1.) enable recipient filtering on non-existent addresses, and set SMTP logging to maximum -- When I go to view the Event logs for MSExchangeTransport all i get are the errors generated from mail that is being sent to non existent addresses.
Here's one of them:
This is an SMTP protocol warning log for virtual server ID 1, connection #70107. The remote host "126.96.36.199", responded to the SMTP command "rcpt" with "451 Sender domain bank.co.uk not verified in DNS ". The full command sent was "RCPT TO:<firstname.lastname@example.org> ". This may cause the connection to fail.
So to summarize:
a)we've got the Symantec Brightmail filter catching 98% spam and slowing down operations.
b)I can watch literally thousands of spam messages fill up in the message tracking center in an hour some of them from "our domain," spoofed addresses.
c)we are not an open relay
d)smtp is currently blocked at the firewall for every ip except the servers and its still going down.
I'm still pretty much an ADMIN in training as far as exchange goes so any GURUS out there PLEASE HELP!! I'm getting so tired.....
Thanks so much!!