How to trace a spam email that was sent from my exchange 2003?

My exchange 2003 server was sending emails to accounts in UK. it never got blacklisted.
The email account that was sending the emails is secure.message@alliance-leicester.co.uk.

I have a ninja spam filter and i had to enable the internal exchange 2003 spam filter to disable this email address. this email address does not exist in the exchange organization.
My exchange server does not relay any traffic from outisde and it hosts only a single domain.

what shocked is the the spyware was using the exchange to send the emails and not its own internal engine. i block all smpt traffic that does not originate on the exchange server.

Is there a way to block all email addresses from sending emails unless they are explicitly in active directory? How do i track the user account that send that email - most likely spyware infected machine? Is exchange 2007 improving this ?

LVL 1
keelhanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
Is there a way to block all email addresses from sending emails unless they are explicitly in active directory?

NOPE.
the only way you can do is to setup SPF via www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
and hopefully the receiver will find out that is do not match the SPF



 How do i track the user account that send that email - most likely spyware infected machine

you can do message tracking from exchange 2003 server if you enable it. exchange 2003 is disabled by default but exchange 2007 enable it by default.
of course you can turn it on or off at your leisure.

please check this for how to turn it on in exchange 2003

http://www.msexchange.org/tutorials/Exchange-2003-Message-Tracking-Logging.html
0
MesthaCommented:
I am yet to see a BOT that will use another system to send its own messages, as that simply gives the game away and is too hard for the BOT writer to do. They are lazy and don't really want to use Exchange servers as that allows their "product" to be found.

Therefore if you are seeing the messages in your queues I can almost guarantee it was not a BOT or spyware. The server was abused directly.

That basically means

open relay
authenticated relay
NDR spam.

The usual cause is authenticated relay. That is enabled on Exchange 2003 by default. It is was most likely your Administrator account that was used, usual target.

If you do not have any POP3/IMAP clients then authenticated relaying can be disabled completely. It is not required for the correct operation of Exchange 2003.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
keelhanAuthor Commented:
I checked and the open relay was disabled but the emails still were being sent via the exchange server. what made no sense is that the sender was outside of the network. how was the exchange 2003 open if i had disabled ndr?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.