Solved

Exchange is sending SPAM user to user

Posted on 2009-05-19
9
233 Views
Last Modified: 2013-12-09
Hello,
I have an Exchange 2003 server and some users are receiving SPAM emails from themselves. I know this is a SPAM technique but what worries me is that some of the emails have REALLY been sent from Exchange. If I go to the  message tracking centre I can see that the email has been sent. The message ID appears as:

200905197317.46DDB690F56FB0@89-215-118-150.2072968958.ddns-lan.pl.ekk.bg

Is my Exchange server been compromised? Does the user have a virus?

Please help,
Briega
0
Comment
Question by:briega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:briega
ID: 24420039
When you click on one of the emails this is the Message History:

From: user@domain.com
To: user@domain.com
Subject: RE: DISCOUNT ID81968 75% OFF on Pfizer!
Message ID: HLCLDNS02F0SpvmoYoZ00002c1c@hlcldns02.hargrove.internal

18/05/2009 00:18 SMTP: Message Submitted to Advanced Queuing
18/05/2009 00:18 SMTP: Started Message Submission to Advanced Queue
18/05/2009 00:18 SMTP: Advanced Queue Failed to Deliver Message
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 300 total points
ID: 24420050
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp

Check whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Use smtp tarpitting and IMF in exchange 2003 to fight spam.

http://enchiparambil.com/smtp_tarpitting_for_exchange.aspx

http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
0
 

Author Comment

by:briega
ID: 24420128
Thanks for answering.
The open relay check says:

Connect Time: 0 seconds - Good
Transaction Time: 0.516 seconds - Good
Relay Check: OK - This server is not an open relay.

The user is a valid user. Is that email been sent externaly or internaly? Is the user account compromised? Why does it appear in the tracking centre as sent?
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420458
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:briega
ID: 24420558
Done! I will monitor the system to see if the issue has stopped. Why does this happen? Is a user machine infected with a virus?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420937
Can be a virus or malicious apps which run on the pc.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24424506
If it was authenticated relaying you could tell - your server would be full of spam. If the password is guessed then the server gets abused. This doesn't look like authenticated relaying.

To me it looks the message has been sent directly to your server, rather than bounced off another relay server. While unusual, it can happen.

Remember - its spam, the entire header cannot be trusted.

Simon.
0
 

Author Comment

by:briega
ID: 24430041
Is there any way of stopping this?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 200 total points
ID: 24432217
Your antispam tool should be able to deal with those messages in just the same way that it deals with any other spam messages. Just ensure that you haven't white listed your own domain.

Simon.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question