• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 566
  • Last Modified:

Exchange sending out Spam Emails

I'm using Exchange 2003, and have been having a problem for a while now.  My mail cue fills up trying to send out junk from inside our system.  It usually uses bogus or old email addresses.  I go to the line and freeze & delete as many as I can, but I cant seem to find the computer on our network with the virus.

I'm using Trend Micro 8.9,  I've scanned, and cleaned up all the problems that I've found, but I continue to get these emails filling up my system.

I've looked at several answers on here, but I'm only running a single exchange server, so some answers dont apply.

Any suggestions?  Tools to find where this might be coming from?   Big hammer to beat the crap out of the server?
2 Solutions
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
First, see whether you are an open relay here http://www.mxtoolbox.com/diagnostic.aspx

Disable authenticated relay if you don't have any pop/imap clients.http://www.amset.info/exchange/smtp-relaysecure.asp

Make sure you have smtp tarpitting enabled to beat spammers http://enchiparambil.com/smtp_tarpitting_for_exchange.aspx

Configure IMF as well and enable it http://www.petri.co.il/block_spam_with_exchange2003_imf.htm
Can you go back into the queue, right click on one of the SMTP connectors and click find messages.  It should then let you search and see, at the bottom left, who the senders are of some of the messages in queue.

Keep me posted.
nightshftAuthor Commented:
1. I am not an open relay
2. I am using IMAP clients, so I cant disable the relay.

And for DCSDAVE,  I have checked on some of the emails, most are not addresses inside our network, there have been a few that were old deleted emails, but not any from actual network users.

I'm going to work on the SMTP Tarpitting
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.

If you are running SBS2003/Exchange you can go to server management/monitoring and reporting and view the server usage reports to see who is sending the most emails and go from there.

You might have to setup the feature and wait a few days before it will display any valid data.

Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
If you are not an open relay and still have spam emails going out, then it is an authenticated relay by a compromised workstation. You need to disable authenticated relay following the article posted above and see whether it is making a difference.

Why are you giving users IMAP access when you can use OWA or Outlook RPC Over HTTPS?

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html)

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).

2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change with your network range)

#nmap -sS -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25

A Symantec Certified Specialist @ your service
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now