Exchange sending out Spam Emails

I'm using Exchange 2003, and have been having a problem for a while now.  My mail cue fills up trying to send out junk from inside our system.  It usually uses bogus or old email addresses.  I go to the line and freeze & delete as many as I can, but I cant seem to find the computer on our network with the virus.

I'm using Trend Micro 8.9,  I've scanned, and cleaned up all the problems that I've found, but I continue to get these emails filling up my system.

I've looked at several answers on here, but I'm only running a single exchange server, so some answers dont apply.

Any suggestions?  Tools to find where this might be coming from?   Big hammer to beat the crap out of the server?
Thanks
nightshftAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
First, see whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Disable authenticated relay if you don't have any pop/imap clients.http://www.amset.info/exchange/smtp-relaysecure.asp

Make sure you have smtp tarpitting enabled to beat spammers http://enchiparambil.com/smtp_tarpitting_for_exchange.aspx

Configure IMF as well and enable it http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dcsdaveCommented:
Can you go back into the queue, right click on one of the SMTP connectors and click find messages.  It should then let you search and see, at the bottom left, who the senders are of some of the messages in queue.

Keep me posted.
0
nightshftAuthor Commented:
1. I am not an open relay
2. I am using IMAP clients, so I cant disable the relay.

And for DCSDAVE,  I have checked on some of the emails, most are not addresses inside our network, there have been a few that were old deleted emails, but not any from actual network users.

I'm going to work on the SMTP Tarpitting
Thanks
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

dcsdaveCommented:
If you are running SBS2003/Exchange you can go to server management/monitoring and reporting and view the server usage reports to see who is sending the most emails and go from there.

You might have to setup the feature and wait a few days before it will display any valid data.

Cheers!
0
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
If you are not an open relay and still have spam emails going out, then it is an authenticated relay by a compromised workstation. You need to disable authenticated relay following the article posted above and see whether it is making a difference.

Why are you giving users IMAP access when you can use OWA or Outlook RPC Over HTTPS?
0
xmachineCommented:
Hi,

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html)

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25



A Symantec Certified Specialist @ your service
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.