Avatar of AndyKeen
AndyKeenFlag for United Kingdom of Great Britain and Northern Ireland asked on

Email Message In Outbound Que on Exchange. (Where From)

Hi All.

We have a situation (This very moment) where our clients Exchange Server is being flooded with outgoing emails (Ebay messages) and they are not being sent by the client (i.e. the client is not purposely sending these messages)
As we speak the outgoing SMTP que has gone up by a couple of thousand email messages waiting to be sent (I say waiting because we have disabled the outgoing email.)

What is this? As far as I know they are not a an open relay and email is sent through a smart SMTP host.

ANy assitance would be a help.

Thank you and Regards
Andy.
ExchangeEmail ServersSBS

Avatar of undefined
Last Comment
robrandon

8/22/2022 - Mon
Coolie Sheppard

Your server is an open relay.



Close the relay



http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm



When you close it, you can check if its still open.  (You can check if its open now) at two sites:



www.dnsgoodies.com
www.mxtoolbox.com
Coolie Sheppard

And, depending on how long you been an open relay, after you close it, with those same two sites, check to see if you're blacklisted on any servers.  If you are, go to www.mxtoolbox and find the servers that blacklisted you.  You will then have to contact them (this can be done on their website link) and request to be taken off.  It takes 24 hours
robrandon

Here is how to determine if it is an open relay.  If it is, there is a link at the bottom to help.  
(Even though the article says it is for SBS, it will work for Exchange)

http://support.microsoft.com/kb/324958

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
AndyKeen

Hi Cshepfam

Thank for your reply.

Checked with dnsgoodies.com and as you can see below the results say that it is unable to relay - so I assume this means it is not an open relay.

>> MAIL FROM:<spammer@192.168.2.220>
<< 250 2.1.0 spammer@192.168.2.220....Sender OK
>> RCPT TO:<spammee@xx.xxx.xx.xxx>
<< 550 5.7.1 Unable to relay for spammee@xx.xxx.xx.xxx
>> RSET
<< 250 2.0.0 Resetting

We have identified that a particular user account is generating the email. If we disable the user then the emails stop being generated. Interestingly this is an account that was set up a while ago and has never been used (Briefly - it was set up for an employee that never started)

Does this give any more info as to how this is happening.

Thank you and Regards
robrandon

Is the user account enabled?  If so, disable it.  
ASKER
AndyKeen

Hi Robrandon

Thank you.

Yes we have now disabled it - however I am concerned about:
1) How this is happening (Considering it is a NON used account), if it happens to an account that is in use it would be more of a problem
2) Is this a virus infection, spyware etc - and if it is - how do we detect for it and remove it (We do have a quality antivirus server product in place)
3) What exactly is happening here?

Hope you or anyone else can answer these points for us.

Thank you and Regards
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Coolie Sheppard

So basically the account has been forged or spoofed.  There are many articles on how to avoid this because it is something thats hard to stop.


One, on the server that is hosting your domain, you can create an SPF record.  Here's some articles to help you out in that situation.

http://www.bluehostforum.com/showthread.php?t=132
http://smtp25.blogspot.com/2007/05/stop-e-mail-spoofing-on-your-mail.html
robrandon

When was it disabled?  Was it enabled when this happened?  It would be interesting to see the last time the account was logged on.  Did it have a blank password?

Do you still have the messages in the queue, or at least the text files for the messages saved?  It would be nice to see the information in there.

ASKER
AndyKeen

Hi cshepfam - thank you for your info - I will check the info out.

Hi Robrandon -
We just disabled the account - i.e. about 20 mins ago and yes it was enabled at the time.

How do we find out the last time the user logged on? (Using sbs2003)
A password was set for the account.

Unfortunately we removed all the messages from the que. We have re-activated the account but as of this reply there have been no further messages in the que.

Ref - 'Do you still have the messages in the queue, or at least the text files for the messages saved?  It would be nice to see the information in there.' - how do we find this information - where is it stored?

Thank you and Regards
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
Coolie Sheppard

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.