Solved

Exchange is sending SPAM user to user

Posted on 2009-05-19
9
228 Views
Last Modified: 2013-12-09
Hello,
I have an Exchange 2003 server and some users are receiving SPAM emails from themselves. I know this is a SPAM technique but what worries me is that some of the emails have REALLY been sent from Exchange. If I go to the  message tracking centre I can see that the email has been sent. The message ID appears as:

200905197317.46DDB690F56FB0@89-215-118-150.2072968958.ddns-lan.pl.ekk.bg

Is my Exchange server been compromised? Does the user have a virus?

Please help,
Briega
0
Comment
Question by:briega
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 

Author Comment

by:briega
ID: 24420039
When you click on one of the emails this is the Message History:

From: user@domain.com
To: user@domain.com
Subject: RE: DISCOUNT ID81968 75% OFF on Pfizer!
Message ID: HLCLDNS02F0SpvmoYoZ00002c1c@hlcldns02.hargrove.internal

18/05/2009 00:18 SMTP: Message Submitted to Advanced Queuing
18/05/2009 00:18 SMTP: Started Message Submission to Advanced Queue
18/05/2009 00:18 SMTP: Advanced Queue Failed to Deliver Message
0
 
LVL 24

Accepted Solution

by:
Rajith Enchiparambil earned 300 total points
ID: 24420050
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp

Check whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Use smtp tarpitting and IMF in exchange 2003 to fight spam.

http://enchiparambil.com/smtp_tarpitting_for_exchange.aspx

http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
0
 

Author Comment

by:briega
ID: 24420128
Thanks for answering.
The open relay check says:

Connect Time: 0 seconds - Good
Transaction Time: 0.516 seconds - Good
Relay Check: OK - This server is not an open relay.

The user is a valid user. Is that email been sent externaly or internaly? Is the user account compromised? Why does it appear in the tracking centre as sent?
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420458
Authenticated relaying, disable it following this article http://www.amset.info/exchange/smtp-relaysecure.asp
0
 

Author Comment

by:briega
ID: 24420558
Done! I will monitor the system to see if the issue has stopped. Why does this happen? Is a user machine infected with a virus?
0
 
LVL 24

Expert Comment

by:Rajith Enchiparambil
ID: 24420937
Can be a virus or malicious apps which run on the pc.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24424506
If it was authenticated relaying you could tell - your server would be full of spam. If the password is guessed then the server gets abused. This doesn't look like authenticated relaying.

To me it looks the message has been sent directly to your server, rather than bounced off another relay server. While unusual, it can happen.

Remember - its spam, the entire header cannot be trusted.

Simon.
0
 

Author Comment

by:briega
ID: 24430041
Is there any way of stopping this?
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 200 total points
ID: 24432217
Your antispam tool should be able to deal with those messages in just the same way that it deals with any other spam messages. Just ensure that you haven't white listed your own domain.

Simon.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question