Avatar of pitsbros
pitsbros asked on

Exchange 2003 Server sending SPAM?

Hey folks,

Our Exchange Server must be sending out SPAM somehow, because I caught over 3000 messages being retried in our Queue in system manager and now we're blacklisted on Barracuda networks. We've been getting NDR and System Administrator messages in certain e-mail inboxes and I don't know what to do. I know I'm not set up as a relay, so what else do I do? I've run Trend Micro a dozen times and it catches nothing...
Exchange

Avatar of undefined
Last Comment
DrKernel

8/22/2022 - Mon
powercram

Is it possible that you are relaying for internal computers?  One of them may be the culprit.

Otherwise use System Manager to view your mailboxes to see if one or more accounts have higher than expected number of messages.

Perhaps you could post some NDR's here so we could further help.
ASKER
pitsbros

How would I determine who the culprit is? It's getting out of hand.
FW-Delivery-Status-Notification-.txt
FW-Undeliverable-Message-you-sen.txt
kieran_b

>>I caught over 3000 messages being retried in our Queue in system manager

Who are those messages from?  It should tell you if you look at them.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
pitsbros

Lots of them were from "service@paypal.com" None were from anyone in our system...
kieran_b

The from address was service@paypal?

Your server is being abused then.  If it was <> or postmaster@ - it could be NDR spam.

Run through this - and change your admin password; http://www.amset.info/exchange/spam-cleanup.asp
DrKernel

I can see the attached files as from Mike Bargman as the NDR back to it from and the sender of the NDR is info, most likely NDR attack

1- enable recipient filtering and check on (filter reciepients who are not in the directory as described here http://support.microsoft.com/kb/823866
2- enable IMF and (AND) IMF updates by the registry keys, and go for Microsoft updates (not windows updates)
http://msexchangeteam.com/archive/2006/04/12/425060.aspx
http://msexchangeteam.com/archive/2005/12/14/416070.aspx

I faced it once and that action prevented that, you should have any antispam solution you know that? at least antigen with spamcure engine, work perfect!

Regards
Dr.Kernel
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
pitsbros

I've always had recipient filtering on. I did notice that when looking at the SMTP Virtual Server Properties, the Relay tab had 3 IP addresses in it. One was 127.0.0.0, one was the local IP of the exchange server and the other was a foreign IP that I didn't recognize...
DrKernel

pitsbros, recipient filtering will protect you from email harvest attacks, IMF will overcome this issue u r facing (hopefully)

and before delete the foreign IP get me it to anylize it , It's week end in our country and I have some free time :)

ASKER
pitsbros

How does IMF stop my server from sending e-mail? I was under the impression that IMF filters inbound e-mails to a folder on my server...
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
DrKernel

yes, your users recieve NDR from info@paypal.com , it may not be real NDRs

can you please enable IMF and back to us ?
ASKER
pitsbros

IMF has been running for quite some time...
ASKER
pitsbros

The server is sending messages with a FROM address of service@paypal.com and I've seen some others. It's not that our users are receiving these e-mails, the server is sending them and I've seen them in the queue...
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
DrKernel

well, from messages from service@paypal.com you have to start the IMF updates (please:) )

follow the links and add the reg keys, and update the IMF this should stop it (inbound)

from internal users, I think it's a worm on your clients, I believe that Antigen still can suspend that as temporary till you get the culprit as it scan the inbound, outbound and internal traffic..

to get the culprit you have to trace which users are the source for all that problems, you will find a bunch as i think the antivirus  that won't catch the worm on one of the client, wont catch it on almost all, and contact the AV supplier then.

or maybe if ur AV has a antispam module or something...
ASKER
pitsbros

I am running Trend Micro Client Server Messaging Suite w/ AntiSpam and I've got no problems that come up on scans...
ASKER
pitsbros

IMF is running and up to date as it always has been. Anti - Virus is running on every machine in the network...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
kieran_b

Run through the spam article i posted - IMF isn't going to help if you are being used as a relay
DrKernel

is Mike Bargman internal user? do you see him usually in this emails?

who is
@jaair.com
@mandjlopez@attbi.com
@southtexascollege.edu (yours?)

Quote
  sreed@southtexascollege.edu on 5/12/2008 12:48 AM
  You do not have permission to send to this recipient. For assistance, contact your system
administrator.
  < mailman.southtexascollege.edu #5.7.1 smtp; 550 5.7.1 Message content rejected, UBE,
id=32200-01-147>

DrKernel

be sure the recipients filtering and IMF is enabled on both locations, the global setting and on the SMTP virtual server properties, it must be on Both locations configured
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
pitsbros

Mike Bargman is ME. the other addresses are external and unknown to me...

DrKernel

for the previous quote message:
sreed@southtexascollege.edu on 5/12/2008 12:48 AM
  You do not have permission to send to this recipient. For assistance, contact your system
administrator.
  < mailman.southtexascollege.edu #5.7.1 smtp; 550 5.7.1 Message content rejected, UBE,
id=32200-01-147>

go through here
http://www.intermedia.net/support/kb/default.asp?id=1007

I have inner feeling it's a virus or worm on the internal network, double check that
kieran_b

I have never seen a worm use the exchange server to send mail - why rely on there being an internal mail server when you can simply write your own SMTP engine and spam your little heart out?

Mike, I URGE you to read through the spam cleanup article I posted.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
DrKernel

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question