We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

All of a sudden my exchange email queue has over 1000 emails from a weird address!

sweetcaro
sweetcaro asked
on
Medium Priority
590 Views
Last Modified: 2012-05-06
I just noticed our exchange server has a queue of over 1000 emails and growing, all going out from a weird email address that is not even part of our domain, someone@yahoo.com with subject: confidential and going to all sorts of people.
This obviously looks like a virus but how do I know who has the virus? And how can we avoid this from happening?
How can someone be using our email server to send out?
Comment
Watch Question

Expert of the Quarter 2009
Expert of the Year 2009

Commented:
I doubt if it is a virus.
That doesn't happen. If a virus got in you wouldn't see it in your queues.

My blog posting from last year explains what has probably happened:
http://www.sembee.co.uk/archive/2008/03/13/73.aspx

I suspect that it is authenticated relaying, which is enabled by default.

-M
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
Review the logging on the smtp connector.
If it's not logging, then turn on the logging.
You should be able to see th ip address.
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
C:\WINDOWS\System32\LogFiles

You can also enable message tracking.

Author

Commented:
Mestha that is a nice long article but it does not tell me how to fix whatever is happening.

What type of logging exactly do I need to turn on to see the ip of the computer sending these messages?
Where do I check if relaying is enabled?
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
Right click the "default smtp server"..choose properties..

there are several options here...  
exchmgr.bmp
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
To enable message tracking,  right click the server listed under the "server" in this snap-in, and choose properties...  check the box.

Expert of the Quarter 2009
Expert of the Year 2009

Commented:
If you bothered to read the whole article, it would explain what was happening and provide links to secure your server.

It is NOT a computer on your network that is sending the messages. That is what that article is telling you if you had read it. If you are seeing the messages in your queues then they are coming from outside.

-M

Author

Commented:
I already checked and RELAY was NOT enabled. Also, I followed the link on that article and tried to do the telnet but it doesn't even allow me to connect to port 25.
Relay isn't enabled, I have no idea why then all these emails are in my queue.
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
Mestha,...

First of all.... How would you know if it is from the inside or outside without reviewing the logs or message tracking ?...

It could very well be an open relay, coming from outside, or it could be a spam bot inside the network...

Another option would be to use a network traffic monitoring software on the exchange server and filter the results for traffic on port 25... netmon is free..

That would stop the guessing game.  
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
They don't just appear in the queue.
If authenticated relaying was turned off then that rules that out.
Do you have any relaying options enabled at all?

Telnet to port 25 being blocked can be caused by AV software - McAfee for example will do that.

-M
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
xuserx2000 - How do I know it isn't coming from inside?
If you read the blog posting that I have posted, then you would know how.

Let me quote the key part though...

"To abuse an Exchange server in this way, a BOT writer would need to

1. get the BOT inside the network
2. infect the machine
3. realise that it is on a corporate network where there is an Exchange server
4. find the Exchange server
5. send the message. "

That isn't going to happen. It is far easier for the bot writer to have their own SMTP engine sending the email directly.

-M
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
so you are working under the assumption that a "bot writer" is incapable of writing a spam bot that runs under the users credentials or enumerating a network for smtp servers ?

interesting....  I'll have to add that one to my knowlegebase

There are several ways to figure out where it is coming from, I just prefer not to make assumptions...or belittle the person asking the question.



Author

Commented:
I turned on the logging and there are a hundred messages popping up but all of them have USER: N/A so I can't see who is doing it, or what computer is causing it.

All my Relay under SMTP and the CONNECTOR are unchecked so should be disabled.

When I do Find messages in one of the queues I can see the sender is someone @yahoo.com

that's all I can see.

Expert of the Quarter 2009
Expert of the Year 2009

Commented:
I do three or four clean ups of this type a week.
I have NEVER seen a bot send email through another SMTP Server.

I am working on the assumption that BOT writers are lazy. They aren't interested in targetting enterprise environments because they are too difficult to compromise. What they are looking to do is compromise a home user, whose protection is limited, not patched. Where there is no firewall blocking port 25 for all traffic except from the valid servers etc.

Back to the original post - if it says User N/A then it is coming from anonymous. It would indicate that you are an open relay.

What relay settings do you have on the SMTP virtual server? You cannot turn them off - it is either one setting or another. That is of course presuming this is Exchange 2000/2003. If it is another version then you need to state.

-M

Author

Commented:
This is exchange 2003
under Default SMTP Virtual Server
--> Access
--> Relay
The box for Allow all computers which successfully authenticate to relay is UNCHECKED
At the top I have ONLY THE LIST BELOW checked, list is empty.
Under grand or deny relay permissions --> Users --> I see Authenticated Users and they have Submit permission checked to ALLOW, Relay Permission has nothing checked

For the Connector I have
--> Address Space --> the Allow messages to be relayed to these domains is also UNCHECKED

Author

Commented:
Is there a virus or trojan or anything I should be looking for on all our computers?
It seems that having everyone run the virus scan is pretty much useless...
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
http://www.msexchange.org/tutorials/Exchange-Server-2003-Mailflow-Part-2.html

See that link, for using logging on the smtp service.
Expert of the Quarter 2009
Expert of the Year 2009

Commented:
I doubt if it is a virus/trojan.
Has the number of messages in the queues actually gone up? Have you attempted to clear the queues?
Have any of those settings that you have outlined above been changed?

Do you have any other servers in the network that could be bouncing their messages off the Exchange server?

-M
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
Whether or not it's a virus inside or a spammer outside....  we should try to find out the offending machine that is sending this stuff.

Here's another approach...
I have attached a vbs script you can run...  which will query the message tracking servuce and show the ip address, sender address, recipient address, subject, message time,...etc.

With exchange management tools installed...
You can copy this code, enter your exchange server name into the code, and save it as c:\messagetrack.vbs
Then run it by command line...
cscript.exe c:\messagetrack.vbs


strComputer = "EXCHANGE_SERVER_NAME_OR_IPADDRESS_GOES_HERE" 
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\MicrosoftExchangeV2") 
Set colItems = objWMIService.ExecQuery( _
    "SELECT * FROM Exchange_MessageTrackingEntry",,48) 
For Each objItem in colItems 
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "Exchange_MessageTrackingEntry instance"
    Wscript.Echo "-----------------------------------"
    Wscript.Echo "Caption: " & objItem.Caption
    Wscript.Echo "ClientIP: " & objItem.ClientIP
    Wscript.Echo "ClientName: " & objItem.ClientName
    Wscript.Echo "DeliveryTime: " & objItem.DeliveryTime
    Wscript.Echo "Description: " & objItem.Description
    Wscript.Echo "MessageID: " & objItem.MessageID
    Wscript.Echo "Name: " & objItem.Name
    Wscript.Echo "OriginationTime: " & objItem.OriginationTime
    If isNull(objItem.RecipientAddress) Then
        Wscript.Echo "RecipientAddress: "
    Else
        Wscript.Echo "RecipientAddress: " & Join(objItem.RecipientAddress, ",")
    End If
    Wscript.Echo "SenderAddress: " & objItem.SenderAddress
    Wscript.Echo "Status: " & objItem.Status
    Wscript.Echo "Subject: " & objItem.Subject
Next

Open in new window

Author

Commented:
We have a few servers that were allowed to relay through this exchange server and apparently one of them must've caught a virus.
Not sure how to avoid this from happening again without having to block the relaying servers though...
but for now it's all back to normal.
Information Services Manager
CERTIFIED EXPERT
Commented:
Glad to hear it...
Make sure those servers are patched up in the future and virus scanners are fully up to date..  If these servers were infected, it like occurred by the actions of an administrator.  Users, without admin permissions,..most likely wouldn't have the access to use the server in order to get it infected, or even remotely propogate a virus to it.

Mestha, care to retract your statement ????
 - "It is NOT a computer on your network that is sending the messages. That is what that article is telling you if you had read it. If you are seeing the messages in your queues then they are coming from outside. " -

I think you might need to rewrite your blog !...lol...

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
Be aware,,...in the properties in the smtp connector, you can specify connections that are allowed to relay... and connections that are not allowed to use the smtp connector at all.

For example... I have a linux box that needs to send mail...but it isn't setup to authenticate to the domain...therefore I allow that single IP address to relay.

Best practice, if you do not have this sort of dilema, is to not allow anyone to relay unless authenticated.....(see the checkbox)


relay-permissions.JPG
Ron MalmsteadInformation Services Manager
CERTIFIED EXPERT

Commented:
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.