Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 682
  • Last Modified:

URGENT: Exchange Server Spamming Local Mailboxes (Header Included)

Note the ".local" in the header.
If requested, I will furnish the source of the entire email.
_________________________________________________
Received: by SERVER.DOMAIN.local
      id <01C99F17.21198B9A@SERVER.DOMAIN.local>; Sat, 7 Mar 2009 05:23:24 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----_=_NextPart_001_01C99F17.21198B9A"
Content-class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject:  SCAMMED VICTIM/ URGENT RESPONDS FOR YOUR $2.8 MILLION COMPENSATION
Date: Thu, 2 Apr 2009 13:09:07 -0600
Message-ID: <850F3A9065116442906FA2C0562547B7311952@SERVER.DOMAIN.local>
Content-Identifier: ExJournalReport
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
Thread-Topic:  SCAMMED VICTIM/ URGENT RESPONDS FOR YOUR $2.8 MILLION COMPENSATION
Thread-Index: AcmfFyEZ+Oawt3M2RzOeDBkVym++tQ==
From: "Prof Musa Ahmed" <mahmed36@rocketmail.com>
To: "undisclosed-recipients" <undisclosed-recipients:;>
___________________________________________________

Extra Info:
Our Firewall is locked down to only talk to an external MX service that filters spam.  All inbound headers originate from the MX service.
No virus/worm infections were found on Exchange server.
Exchange server could be sending emails locally as a result of SMTP relay settings
Outbound SMTP is fine, and nothing is going out that shouldn't be.  This was verified by System Manager, External MX solution, and firewall activitiy.  Traffic is normal
I may have been lucky and found the very beginning instance of this problem, but I am not sure.
Journaling is enabled on a specific account for mail archival (not sure if this would be related)
There is no antivirus installed on Exchange server being external MX scans all inbound/outbound email.
According to my journaling information, this email was received TOMORROW (April 2, 2009) Present date as of now is April 1, 2009
0
MrMintanet
Asked:
MrMintanet
  • 9
  • 5
  • 3
1 Solution
 
MrMintanetAuthor Commented:
Attached, is a screen shot of active logons.  I have blacked out the local mail server's name for customer's privacy.

How do I find out where this is originating?
Exchange-Logons.jpg
0
 
MesthaCommented:
The server is being abused directly.
The fact that your server is listed in the headers means the message originated there.

Nothing in your screenshot looks unusual. You need to look at the SMTP server logs to see where the traffic is coming in.

Simon.
0
 
MrMintanetAuthor Commented:
Thanks for the advice, Mestha.  I'll get the logs and take a look.  Any pointers on what to be looking for?  Actually... where are the logs stored, typically?  Please forgive my ignorance, but I have very limited experience with troubleshooting Exchange.  Perhaps I was one of the fortunate ones who has hardly had any problem with Exchange.  Thanks again!
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
MesthaCommented:
SMTP logs location is set on the properties of the SMTP virtual server in Exchange. You will need to look there to see where they have been located.
You are looking for an IP address sending large numbers of messages. You may have to change the logging options to get enough to trace it.

Simon.
0
 
MrMintanetAuthor Commented:
::slaps forehead::

Logging was never enabled.  What would be the best format to chose?  Lord, help me.
0
 
MrMintanetAuthor Commented:
See screenshot.
Logging-Format.jpg
0
 
MesthaCommented:
I have always used IIS, just change the properties of the logging to ensure that things that need to be logged are. However I know that others say to use NCSA format instead.

Simon.
0
 
MrMintanetAuthor Commented:
I just discovered another scary problem.  When in OWA, I can simply remove my username from the URL and put another network user's name in and it shows me their mailbox.  What causes this?  Should I post this as a new question?
0
 
MrMintanetAuthor Commented:
See Photo:
SMTP-LOG.jpg
0
 
MrMintanetAuthor Commented:
NOTE:  The logs are not showing any local email traffic.  Only external.

SERVER.MYDOMAIN.LOCAL is not showing up anywhere.  How do I monitor what's going through .local?  Bah!  I'm going home!  See you tomorrow!
0
 
MesthaCommented:
The mailbox question should be posted fresh, as it is not related.
The server's local name will not show in the log, it works on IP addresses.

Are all the messages in the queues from postmaster@ ? Given the errors I wonder if you are under an NDR attack. Does your external provider do recipient filtering?

Simon.
0
 
MrMintanetAuthor Commented:
What do you mean by recipient filtering?

I'm not sure how to check the postmaster@ question.
0
 
Michael-BestCommented:
Got CONLICKER Worm?
If YOU cant go here:
http://onecare.live.com/site/en-US/center/cleanup.htm
And run scans
you Got Worm:Win32/Conficker.B
Microsoft is offering $250,000 to a (Worm:Win32/Conficker.B) FIX
Hope its ME
0
 
Michael-BestCommented:
Run the: "FULL SERVICE SCAN"
http://onecare.live.com/site/en-us/default.htm
0
 
Michael-BestCommented:
FREE COMPUTER REPAIR
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN" it will cleanup & speedup your computer, if it won't run then:
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
If on a network, I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
Also see:
Bit Defender:
http://anti-virus-software-review.toptenreviews.com/
This is  free:
http://www.pctools.com/free-antivirus/
(Regards from Michael Best: I troubleshoot: both, English OS & Japanese OS)
0
 
MrMintanetAuthor Commented:
Michael Best, I apprecite the canned-answers, however they are of no use to me.  Please try again, as I do enjoy your professional copy/paste technique.
0
 
MesthaCommented:
Recipient filtering - it is an option in Exchange to block email to users who do not exist.

http://www.amset.info/exchange/filter-unknown.asp

You need to look at the queues using the queues option in ESM under servers.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 9
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now