Exchange
--
Questions
--
Followers
Top Experts
Exchange server still sending out spam
I have been working on this for a week now to stop my Exchange server from sending spam. I know just enough about Exchange to cause myself problems, which means not much.
This is what I have done so far.
1. I have made sure that the mail server is not an open relay. I have set it so no computer can relay through the server and I have changed it so you cant relay mail even if authorized.
2. I have made sure that the guest account was disabled. I also changed the admin username to something that cannot be guessed. I have also truned on recipient filtering so I will not be sending out NDR spam under the postmaster account (which was happening). I have also enabled tarpitting so people cant just guess the account names. (Thank you Mestha) This got me off one spam list.
3. I have enabled tracking on the virtual smtp server. I am guessing that since all email is going through Outlook, it isnt tracked in those event logs, since I dont see any authorizations. I have not seen any authorizations to send out mail through the smtp server, so I dont think that an account has been compromised. (especially since I have since disabled all relaying, even if authorized and still getting listed for spam)
4. I have set up a GPO to block all traffic on port 25 from all the desktops. I dont have a firewall in place so I cant set it there. However the desktops are set to a different gateway than the mail server so I dont think that they would be able to send out from that IP address. Additionally, the public IP is routed to the mail server through NATing, so I am not sure if any of the other servers could access it, but I do not know enough to say that for sure. Just in case they can access it, I just added a GPO for the servers other than the mail server to block port 25.
5. This leaves possibly a virus on the Exchange server. I have scanned the server with McKafee 8.5 and Malwarebytes and have found nothing. I have also used Microsoft malicious software scanner. I am going to use some online scanners next.
It seems that my server is still sending out spam however. As I just disabled port 25 on the other servers I will see if that makes a difference, but since the IP is reached through NATing, i dont know if this could cause the problems.
I still dont know how to see where the spam is going out through. I have frozen multiple queues on the Exchange server but dont see any messages that are not legitimate, however I think that I am looking at queues that are dealing with incoming mail. Which ones would I look at to see the outgoing mail?
Any ideas on what steps to take next? By the way spamcop has me flagged. Here is the link http://www.spamcop.net/sc?id=z2658009215zeba6bd097973b34b577eef7447aff491z with a sample spam message.
This is what I have done so far.
1. I have made sure that the mail server is not an open relay. I have set it so no computer can relay through the server and I have changed it so you cant relay mail even if authorized.
2. I have made sure that the guest account was disabled. I also changed the admin username to something that cannot be guessed. I have also truned on recipient filtering so I will not be sending out NDR spam under the postmaster account (which was happening). I have also enabled tarpitting so people cant just guess the account names. (Thank you Mestha) This got me off one spam list.
3. I have enabled tracking on the virtual smtp server. I am guessing that since all email is going through Outlook, it isnt tracked in those event logs, since I dont see any authorizations. I have not seen any authorizations to send out mail through the smtp server, so I dont think that an account has been compromised. (especially since I have since disabled all relaying, even if authorized and still getting listed for spam)
4. I have set up a GPO to block all traffic on port 25 from all the desktops. I dont have a firewall in place so I cant set it there. However the desktops are set to a different gateway than the mail server so I dont think that they would be able to send out from that IP address. Additionally, the public IP is routed to the mail server through NATing, so I am not sure if any of the other servers could access it, but I do not know enough to say that for sure. Just in case they can access it, I just added a GPO for the servers other than the mail server to block port 25.
5. This leaves possibly a virus on the Exchange server. I have scanned the server with McKafee 8.5 and Malwarebytes and have found nothing. I have also used Microsoft malicious software scanner. I am going to use some online scanners next.
It seems that my server is still sending out spam however. As I just disabled port 25 on the other servers I will see if that makes a difference, but since the IP is reached through NATing, i dont know if this could cause the problems.
I still dont know how to see where the spam is going out through. I have frozen multiple queues on the Exchange server but dont see any messages that are not legitimate, however I think that I am looking at queues that are dealing with incoming mail. Which ones would I look at to see the outgoing mail?
Any ideas on what steps to take next? By the way spamcop has me flagged. Here is the link http://www.spamcop.net/sc?id=z2658009215zeba6bd097973b34b577eef7447aff491z with a sample spam message.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Have you made sure all the workstations are malware free?
TO continue a little further you said you have blocked port 25 on the workstations but if the worksations are using Outlook to connect to the Exchange Server they aren't using port 25. The gateway on the desktops wouldn't matter either. If they are using Outlook to connect to the Exchange Server it is pretty much a direct shot out. Any mass mailing virus on a workstation would have a picnic.
I have scanned the workstations and they have not come up with malware. Also all the workstations are set to use another gateway that uses another IP address that is seperate from the mail server. I am not sure if a virus could get through to the other gateway, but it would have to chang the network settings, which has not happened. Also I have applied a Group Policy Object to all the workstations which blocks port 25.
All this together makes me think that it is not the workstations.
All this together makes me think that it is not the workstations.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Hey Ryan80,
You can Block Spam with Exchange 2003 Intelligent Message Filter.
Microsoft Exchange Intelligent Message Filter is a product developed by Microsoft to help companies reduce the amount of unsolicited commercial e-mail (UCE), or spam, received by users.
Intelligent Message Filter is based on Microsoft SmartScreen Technology from Microsoft Research. By using e-mail characteristics tracked by SmartScreen technology, Intelligent Message Filter can help determine whether each incoming e-mail message is likely to be spam. Based on this likelihood, you can choose to block e-mail messages at the gateway or at the mailbox store.
How it works?
When an external user sends e-mail messages to an Exchange server with Intelligent Message Filter installed, IMF evaluates the textual content of the messages and assigns the message a rating based on the probability that the message is UCE or spam. All incoming messages are marked with a Spam Confidence Level SCL rating, regardless of the rating threshold you set. This rating is saved with the other message properties and these properties are sent with the message to other Exchange servers.
In Gateway Blocking Configuration, select the rating in Block messages with an SCL rating greater than or equal to above which Intelligent Message Filter takes action on this message.
If a message has a rating higher than the gateway threshold, IMF takes the action specified. If the message has a rating below the gateway threshold, the message is sent to the Exchange mailbox store of the recipient. At the Exchange mailbox store, if the message has a higher rating than the mailbox store threshold, the mailbox store delivers the message to the user's Junk E-mail folder rather than to the Inbox.
Intelligent Message Filter does not need to be installed on Exchange mailbox servers. If Intelligent Message Filter is installed and enabled on the gateway SMTP virtual servers, Exchange mailbox servers receive the SCL rating with each incoming Internet message and take the appropriate action.
Note: The Intelligent Message Filter is not supported in a clustered environment. Therefore, Intelligent Message Filter updates are not offered to Exchange Server 2003 servers in a clustered environment.
For Step by Step how to go about this and configuration about it, please go through the below mentioned link:
http://alturl.com/730
I am 200% sure that this will surely stop Spam.
You can Block Spam with Exchange 2003 Intelligent Message Filter.
Microsoft Exchange Intelligent Message Filter is a product developed by Microsoft to help companies reduce the amount of unsolicited commercial e-mail (UCE), or spam, received by users.
Intelligent Message Filter is based on Microsoft SmartScreen Technology from Microsoft Research. By using e-mail characteristics tracked by SmartScreen technology, Intelligent Message Filter can help determine whether each incoming e-mail message is likely to be spam. Based on this likelihood, you can choose to block e-mail messages at the gateway or at the mailbox store.
How it works?
When an external user sends e-mail messages to an Exchange server with Intelligent Message Filter installed, IMF evaluates the textual content of the messages and assigns the message a rating based on the probability that the message is UCE or spam. All incoming messages are marked with a Spam Confidence Level SCL rating, regardless of the rating threshold you set. This rating is saved with the other message properties and these properties are sent with the message to other Exchange servers.
In Gateway Blocking Configuration, select the rating in Block messages with an SCL rating greater than or equal to above which Intelligent Message Filter takes action on this message.
If a message has a rating higher than the gateway threshold, IMF takes the action specified. If the message has a rating below the gateway threshold, the message is sent to the Exchange mailbox store of the recipient. At the Exchange mailbox store, if the message has a higher rating than the mailbox store threshold, the mailbox store delivers the message to the user's Junk E-mail folder rather than to the Inbox.
Intelligent Message Filter does not need to be installed on Exchange mailbox servers. If Intelligent Message Filter is installed and enabled on the gateway SMTP virtual servers, Exchange mailbox servers receive the SCL rating with each incoming Internet message and take the appropriate action.
Note: The Intelligent Message Filter is not supported in a clustered environment. Therefore, Intelligent Message Filter updates are not offered to Exchange Server 2003 servers in a clustered environment.
For Step by Step how to go about this and configuration about it, please go through the below mentioned link:
http://alturl.com/730
I am 200% sure that this will surely stop Spam.
How are your workstations sending and receiving e-mail? What cmail client? Changing the workstation's gateway and blocking their port 25 won't do anything if they are using Outlook to connect to the Exchange Server. If their mail client is sending/receiving from the Exchange Server then the mail comes in and goes out of the Exchange Server regardless of their gateway or port 25.
SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Shahvikus-
If I am not mistaken though, this is for blocking incoming spam. I am having problems with my server sending out spam. Let me know if this will help with outgoing spam.
Jim-
All the workstations use Outlook to send out mail through the exchange server. So you are saying that a virus would be able to exploit Outlook and send email out through the server? How would I be able to see what user is sending out email through Outlook? Wouldnt there be sent messages in Outlook? I will have to scan all the machines again if this is the case. I didn't know that a virus could exploit Exchange. Doesnt this mean that anyone that uses my server through Outlook could use my server as a spambot if they have a virus? This doesnt sound right. Any hosted exchange server that serves multiple people would instantly be a spam server.
sysreq-
Thanks for mentioning the router. I am using a Netopia router (forget the model off hand). I will have to go through it to see if anyone else besides the server is sending over port 25. I have an IPSec GPO turned on all the computers except the Exchange server. I will have to check on turning on some logging to see if there is any application that is trying to send on port 25. I will try commview and see what it has to say. Thanks for the suggestion.
If I am not mistaken though, this is for blocking incoming spam. I am having problems with my server sending out spam. Let me know if this will help with outgoing spam.
Jim-
All the workstations use Outlook to send out mail through the exchange server. So you are saying that a virus would be able to exploit Outlook and send email out through the server? How would I be able to see what user is sending out email through Outlook? Wouldnt there be sent messages in Outlook? I will have to scan all the machines again if this is the case. I didn't know that a virus could exploit Exchange. Doesnt this mean that anyone that uses my server through Outlook could use my server as a spambot if they have a virus? This doesnt sound right. Any hosted exchange server that serves multiple people would instantly be a spam server.
sysreq-
Thanks for mentioning the router. I am using a Netopia router (forget the model off hand). I will have to go through it to see if anyone else besides the server is sending over port 25. I have an IPSec GPO turned on all the computers except the Exchange server. I will have to check on turning on some logging to see if there is any application that is trying to send on port 25. I will try commview and see what it has to say. Thanks for the suggestion.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
If there is a virus/bot that can send out spam via Outlook, then it must be new, and I would expect that many AV vendors will be interested in it as well.
That sort of behaviour simply doesn't happen.
I wrote why on my blog almost twelve months ago:
http://www.sembee.co.uk/archive/2008/03/13/73.aspx
Looking at the message you posted, that did not come off an Outlook client. If you know what a message header that comes of Exchange looks like, you know what to look for.
Specifically you should be looking for a line such as this:
X-MimeOLE: Produced By Microsoft Exchange V6.5
That doesn't show in that header. Therefore the message is being bounced off the server.
Have you turned off authenticated relaying?
Have you restarted the SMTP Server service after making changes?
There are very few ways that a server can be compromised, so it has to be something that has been missed.
-M
That sort of behaviour simply doesn't happen.
I wrote why on my blog almost twelve months ago:
http://www.sembee.co.uk/archive/2008/03/13/73.aspx
Looking at the message you posted, that did not come off an Outlook client. If you know what a message header that comes of Exchange looks like, you know what to look for.
Specifically you should be looking for a line such as this:
X-MimeOLE: Produced By Microsoft Exchange V6.5
That doesn't show in that header. Therefore the message is being bounced off the server.
Have you turned off authenticated relaying?
Have you restarted the SMTP Server service after making changes?
There are very few ways that a server can be compromised, so it has to be something that has been missed.
-M
Ok, I dont know much, but i didnt think that a virus could spam bot through Outlook.
I believe that I have followed all the steps that you have listed previously. here are some screen shots just to make sure that i have not made a mistake.
authentication.jpg
connection.jpg
Identification.jpg
outbound-security.jpg
smtp-relay-access.jpg
address-space.jpg
I believe that I have followed all the steps that you have listed previously. here are some screen shots just to make sure that i have not made a mistake.
authentication.jpg
connection.jpg
Identification.jpg
outbound-security.jpg
smtp-relay-access.jpg
address-space.jpg
Are there any users listed in the relay settings?
Have you restarted the SMTP server service after making the change?
Otherwise the settings appear to be correct to secure a relay, so you need to start looking elsewhere as to the cause.
Do you see spam messages in the queues?
-M
Have you restarted the SMTP server service after making the change?
Otherwise the settings appear to be correct to secure a relay, so you need to start looking elsewhere as to the cause.
Do you see spam messages in the queues?
-M
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
I dont have any users in the relay settings.
Also I restarted the server last night. That should take care of resarting the SMTP service. Just in case I just restarted the service.
here is a list of the queues. Which queue would be the one where it would most likely start to queue up? I just stopped outbound email so that is why they are empty. I have gone through the queues before, but have not seen anything that looks like spam that is outgoing. In all cases it looked like legitimate emails that were outbound.
The leaves me to think that it has top be a virus. I am not exactly sure how it would be going out under the IP of the email server. The public IP is NAT'ed through a router so I thought that only the mail server would be able to communicate on port 25 on that IP address. Maybe I am wrong? I am working on programming a firewall now, and hopefully that will solve my problems.
I have scanned my mail server repeatedly and with multiple virus scans, and have not found anything. However someone else set this server up and I found Java installed on it so it looks like they were browsing on this server. I am thinking that I am going to backup the email, and do a new install on the front end and back end server.
Also I restarted the server last night. That should take care of resarting the SMTP service. Just in case I just restarted the service.
here is a list of the queues. Which queue would be the one where it would most likely start to queue up? I just stopped outbound email so that is why they are empty. I have gone through the queues before, but have not seen anything that looks like spam that is outgoing. In all cases it looked like legitimate emails that were outbound.
The leaves me to think that it has top be a virus. I am not exactly sure how it would be going out under the IP of the email server. The public IP is NAT'ed through a router so I thought that only the mail server would be able to communicate on port 25 on that IP address. Maybe I am wrong? I am working on programming a firewall now, and hopefully that will solve my problems.
I have scanned my mail server repeatedly and with multiple virus scans, and have not found anything. However someone else set this server up and I found Java installed on it so it looks like they were browsing on this server. I am thinking that I am going to backup the email, and do a new install on the front end and back end server.
Sorry here is a picture of the queues.
queues.jpg
queues.jpg
One more question. I have put a Group Policy on all the other servers but the front end Exchange server. The policy blocks port 25 from being used. Does anyone know of any way that a virus could circumvent this? I dont think that it is likely.
This would mean that the front end Exchange server would have to be the source of the spam.
This would mean that the front end Exchange server would have to be the source of the spam.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
I route it through by DNS.
I dont see anything in the queues that look suspicious. I have decided to reinstall the front end server. I will see if that fixes the problem.
I dont see anything in the queues that look suspicious. I have decided to reinstall the front end server. I will see if that fixes the problem.
After reviewing everything and seeing that everything is locked down on the Exchange server, there must be a bot on the server that I am just not picking up. I am doing a reinstall of the server, and will make sure that the server is properly locked down this time.
Thank you all for your help, especially Mestha
Thank you all for your help, especially Mestha
Exchange
--
Questions
--
Followers
Top Experts
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.