?
Solved

High volume of outgoing emails being relayed through Exchange

Posted on 2008-10-07
10
Medium Priority
?
476 Views
Last Modified: 2013-11-30
Hi there, we have a HUGE amount of email (which I've only just noticed) being sent out through our client's exchange server.

I logged into OWA, and noticed there was arround 40000 emails in the inbox, nearly all of them were bouncebacks from various people. I then checked Exchange tracking centre, and its just spewing out loads of emails.

I'm pretty sure open relay isn't enabled on the server, as I've compared the config with another SBS server.

is there anyway I can track where these emails are being sent from? Perhaps they are coming from a client with a virus on.

I'm surprised they haven't been blacklisted...

ANy help would be much appreciated.
0
Comment
Question by:dougb9429
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 17

Expert Comment

by:Steve
ID: 22659980
Check any firewall rules on port 25 to see if it is locked to a particular IP range.

Check the e-mail headers - http://www.stopspam.org/email/headers.html

Do you have e-mail antivirus client for outlook or similar - might be worth a scan..
0
 

Author Comment

by:dougb9429
ID: 22660013
Hi there, thanks for your reply.

Is there any way I can check the headers of the emails that have been sent out? Either thru OWA or through Exchange??

I will kick off a scan straight away.
0
 
LVL 17

Expert Comment

by:Steve
ID: 22660054
Hi

Have you enabled e-mail journalling at all ? if so this would keep a copy of everything that was sent ?

Do you use a hosted anti spam solution or similar e.g. e-mailsystems ?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:dougb9429
ID: 22660076
No journaling isn't enabled...

And no, we use GFI Mail Essentials for anti spam.

I suppose if I enable journaling now, it will still pick up email, then I guess I could read the headers of that?
0
 

Author Comment

by:dougb9429
ID: 22660285
I've enabled journaling, and it's picking up other emails, but all the emails being sent from the administrator account are not being journaled, despite them all showing in the exchange tracking centre.
0
 
LVL 17

Expert Comment

by:Steve
ID: 22660490
What version of exchange are you running and how have you enabled journalling ?

(sorry but dependent on the version there are a few ways to do it).

Also can you see if the mails are being sent from one account ? if so is it possible to disable that account's mailbox whilst the problem is diagnosed.
0
 

Author Comment

by:dougb9429
ID: 22660542
It's 2003 on an SBS Server (SP2)

I set up a new user for journaling, right clicked on the mailbox store, and selected archive sent/received messages.

The account is actually the administrator account. It has a secondary email called postmaster@ and all the emails are being sent from there.
0
 
LVL 17

Expert Comment

by:Steve
ID: 22666901
Did you find anything from the e-mail headers which indicates the sender/recipient of mail sent/received ?

Have you checked your 2003 server to ensure its not a relay?

I'd also consider enabling advanced journaling to cover BCC, Distribution lists etc

http://www.microsoft.com/downloads/details.aspx?familyid=e7f73f10-7933-40f3-b07e-ebf38df3400d&displaylang=en
0
 
LVL 2

Accepted Solution

by:
DSchel01 earned 2000 total points
ID: 22668387
Most likely the they are NDR messages caused by NDR (or back scatter) spam.

Ensure you are on at least the latest build of GFi MailEssentials 12 (20080623) which includes the NDR spam functionality. Make sure to leave the New Senders functionality disabled, but set the action to delete. This will prevent NDR spam from being received by end users in future.

Also, if you have maintenance consider upgrading to MailEssentials 14. This version of MailEssentials includes a new antispam engine, spamrazer, which considerably improves the performance of MailEssentials spam detection. MailEssentials 14 can also filter directory harvesting emails at the protocol level, which will greatly reduce the amount of email accepted by your mail server.

More information:
How to check for NDR spam (BackScatter)
http://kbase.gfi.com/showarticle.asp?id=KBID003322

What's new in GFI MailEssentials 14 for Exchange/SMTP?
http://kbase.gfi.com/showarticle.asp?id=KBID003400
0
 

Author Closing Comment

by:dougb9429
ID: 31503817
After uninstalling and reinstalling GFI it seemed to work! Thanks for putting me on the right track!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question