Solved

Mass emails are being sent out by one of our companies email address...

Posted on 2008-10-21
7
267 Views
Last Modified: 2012-05-05
An email address has been taken over by a virus or other annoyance and is sending out mass emails causing this email address to be flooded with junk emails, undeliverable mail, and post master returns and I am unsure how to go about stopping this.  I have ran a virus scan on the computer that has outlook installed on it and turned this machine of but the emails are still coming in.  There really are no similarities that I can see in the returned emails as far as email address or IP.  any info\help is greatly appreciated!
0
Comment
Question by:adamhicks
  • 3
  • 2
  • 2
7 Comments
 
LVL 11

Expert Comment

by:Bertling
Comment Utility
There is nothing you can do about this.
by the sounds of it this mail address is being used to spoof spam emails
the NRds and system admin messages you get back are called backscatter.

what is happening is a server some where on the internet is spoofing the legitimate email address.
hundreds of messages are sent out and when a message is sent to an email server with a non existant mail address the NDR is sent back to the spoofed address which in turn fills up the mailbox with back scatter NDR emails.

there is not much you can do but block the NDRs or make a rule to move any NDR email to a sub folder or just pernamently delete it from the mailbox.

hope this helps
0
 
LVL 19

Accepted Solution

by:
MrLonandB earned 500 total points
Comment Utility
I would first go into ESM and stop the queues. Next, go to the properties of the SMTP Virtual server > Access > Relay Restrictions > Relay...and make sure that it is set to "Only the list below" with nothing in the list. If it is already configured that way, uncheck the box in the same location that allows authenticated users to relay regardless...then delete junk out of your queue and restart it.

If you have an SMTP Connector, to to the properties of it and in the "Address Space" tab...make sure the box is not checked to relay to all domains at the very bottom.

Try those things first and see what happens.
0
 

Author Comment

by:adamhicks
Comment Utility
Ok everything in the ESM was set to what you said except for the allow authenticated users to relay regardless checkbox.  Once I unchecked that box the junk emails have seem to stop coming in and all other emails still seem to be flowing correctly.  It has only been about 10 min but so far so good.  what exactly does that check box do if you don't mind explaining it to me.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 11

Expert Comment

by:Bertling
Comment Utility
if you untick allow authenticated users to relay this would stop your local exchange server being used to relay messages out by a possible virus as you have stated. The reason being is that the user who may be infected is already authenticated on the domain which permits them to relay junk through the mail server. so in theory if a pc was infected it wont be able to relay mail any more and fix your problem how ever this virus on this pc will need to be cleaned.
check your logs in exchange to track the mail sent from the user who is getting all the NDRs to confirm if it was relayed through your excahnge server.
0
 
LVL 19

Expert Comment

by:MrLonandB
Comment Utility
Is your mail still flowing in and out correctly...without the relayed traffic?
0
 

Author Comment

by:adamhicks
Comment Utility
Yes so far so good.  We can send/receive from inside and outside email addresses.  I did get a couple more junk emails but it has slowed down tremendously. Its been about 2 hours and received 3 junk emails.  Before we were receiving about 5 every min.  I am going to continue to monitor it but it looks to be fixed.
0
 
LVL 19

Expert Comment

by:MrLonandB
Comment Utility
If you are only receiviing 3 junks in 2 hours...you're doing pretty darn good compared to alot of folks!
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now