Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange is sending SPAM user to user

Posted on 2009-05-19
9
Medium Priority
?
239 Views
Last Modified: 2013-12-09
Hello,
I have an Exchange 2003 server and some users are receiving SPAM emails from themselves. I know this is a SPAM technique but what worries me is that some of the emails have REALLY been sent from Exchange. If I go to the  message tracking centre I can see that the email has been sent. The message ID appears as:

200905197317.46DDB690F56FB0@89-215-118-150.2072968958.ddns-lan.pl.ekk.bg

Is my Exchange server been compromised? Does the user have a virus?

Please help,
Briega
0
Comment
Question by:briega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:briega
ID: 24420039
When you click on one of the emails this is the Message History:

From: user@domain.com
To: user@domain.com
Subject: RE: DISCOUNT ID81968 75% OFF on Pfizer!
Message ID: HLCLDNS02F0SpvmoYoZ00002c1c@hlcldns02.hargrove.internal

18/05/2009 00:18 SMTP: Message Submitted to Advanced Queuing
18/05/2009 00:18 SMTP: Started Message Submission to Advanced Queue
18/05/2009 00:18 SMTP: Advanced Queue Failed to Deliver Message
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 900 total points
ID: 24420050
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp

Check whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Use smtp tarpitting and IMF in exchange 2003 to fight spam.

http://enchiparambil.com/smtp_tarpitting_for_exchange.aspx

http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
0
 

Author Comment

by:briega
ID: 24420128
Thanks for answering.
The open relay check says:

Connect Time: 0 seconds - Good
Transaction Time: 0.516 seconds - Good
Relay Check: OK - This server is not an open relay.

The user is a valid user. Is that email been sent externaly or internaly? Is the user account compromised? Why does it appear in the tracking centre as sent?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420458
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:briega
ID: 24420558
Done! I will monitor the system to see if the issue has stopped. Why does this happen? Is a user machine infected with a virus?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420937
Can be a virus or malicious apps which run on the pc.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24424506
If it was authenticated relaying you could tell - your server would be full of spam. If the password is guessed then the server gets abused. This doesn't look like authenticated relaying.

To me it looks the message has been sent directly to your server, rather than bounced off another relay server. While unusual, it can happen.

Remember - its spam, the entire header cannot be trusted.

Simon.
0
 

Author Comment

by:briega
ID: 24430041
Is there any way of stopping this?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 600 total points
ID: 24432217
Your antispam tool should be able to deal with those messages in just the same way that it deals with any other spam messages. Just ensure that you haven't white listed your own domain.

Simon.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question