Solved

Exchange is sending SPAM user to user

Posted on 2009-05-19
9
196 Views
Last Modified: 2013-12-09
Hello,
I have an Exchange 2003 server and some users are receiving SPAM emails from themselves. I know this is a SPAM technique but what worries me is that some of the emails have REALLY been sent from Exchange. If I go to the  message tracking centre I can see that the email has been sent. The message ID appears as:

200905197317.46DDB690F56FB0@89-215-118-150.2072968958.ddns-lan.pl.ekk.bg

Is my Exchange server been compromised? Does the user have a virus?

Please help,
Briega
0
Comment
Question by:briega
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:briega
ID: 24420039
When you click on one of the emails this is the Message History:

From: user@domain.com
To: user@domain.com
Subject: RE: DISCOUNT ID81968 75% OFF on Pfizer!
Message ID: HLCLDNS02F0SpvmoYoZ00002c1c@hlcldns02.hargrove.internal

18/05/2009 00:18 SMTP: Message Submitted to Advanced Queuing
18/05/2009 00:18 SMTP: Started Message Submission to Advanced Queue
18/05/2009 00:18 SMTP: Advanced Queue Failed to Deliver Message
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 300 total points
ID: 24420050
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp

Check whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Use smtp tarpitting and IMF in exchange 2003 to fight spam.

http://enchiparambil.com/smtp_tarpitting_for_exchange.aspx

http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
0
 

Author Comment

by:briega
ID: 24420128
Thanks for answering.
The open relay check says:

Connect Time: 0 seconds - Good
Transaction Time: 0.516 seconds - Good
Relay Check: OK - This server is not an open relay.

The user is a valid user. Is that email been sent externaly or internaly? Is the user account compromised? Why does it appear in the tracking centre as sent?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420458
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:briega
ID: 24420558
Done! I will monitor the system to see if the issue has stopped. Why does this happen? Is a user machine infected with a virus?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420937
Can be a virus or malicious apps which run on the pc.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24424506
If it was authenticated relaying you could tell - your server would be full of spam. If the password is guessed then the server gets abused. This doesn't look like authenticated relaying.

To me it looks the message has been sent directly to your server, rather than bounced off another relay server. While unusual, it can happen.

Remember - its spam, the entire header cannot be trusted.

Simon.
0
 

Author Comment

by:briega
ID: 24430041
Is there any way of stopping this?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 200 total points
ID: 24432217
Your antispam tool should be able to deal with those messages in just the same way that it deals with any other spam messages. Just ensure that you haven't white listed your own domain.

Simon.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now