Axyon
asked on
Tracking internal spam, exchange 2003
Recently one of my clients email servers was blacklisted by a few databases, and after looking into this issue,i found that their outgoing email queues were larger than normal. Also, the destination domains are mostly random, non existant domains. I believe something internal is sending out mass spam email, however, i have no way to pinpoint where this traffic is coming from. Any ideas? So far i have done the following:
enabled logging on the smtp virtual server
took a packet capture using wireshark
everything shows the originator as the mail server, which i would expect....but i want to be able to see where the requests originate.
enabled logging on the smtp virtual server
took a packet capture using wireshark
everything shows the originator as the mail server, which i would expect....but i want to be able to see where the requests originate.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Don't recall my faq talking about backscatter!
Are the senders of the emails administrator or random senders?
Are the senders of the emails administrator or random senders?
ASKER
there are two consistant "senders", who are not domain members and look to crap....."Egg Bank Plc" and "Natwest"
Then you are most likely an authenticated relay.
Please turn on diagnostic logging as per my faq and monitor the Application Log to see which account has been compromised.
Please turn on diagnostic logging as per my faq and monitor the Application Log to see which account has been compromised.
ASKER
i already have see above post " So i have turned on the authentication logging in exchange, however, the app log is full of ndr reports. hard to make sense of the app log."
Save it if you want to and clear the log. It will make it easier to see what is going on.
ASKER
I did find an entry in the app log that the SBS Backup user successfully authenticated.....so i have disabled that account. i'm getting flooded with smtp protocol warnings that say that the smtp connection has been dropped to all kinds of external smtp servers.
The backup account should not be used. Please change the password, restat simple mail tranfer protocol and then enable the backup account.
ASKER
i've reset the password and disabled the sbs user backup account. I still believe that something is still sending out spam email as i can see all kinds of remote smtp connections in my app log that are getting denied.
That will be the spammers trying to abuse your server and is to be expected.
Clear out your queues that are bogus and monitor them. Once you are happy that you are not being abused anymore, turn off the diagnostic logging and relax.
Clear out your queues that are bogus and monitor them. Once you are happy that you are not being abused anymore, turn off the diagnostic logging and relax.
ASKER
yea, i was thinking that disabling the compromised account would stop the smtp connections......i have about 1500 queus to clear....so i set the ndr timeout to 5 minutes, hopefully they will take care of themselves.
That's cheating ;) but a nice idea.
Please keep me posted.
Please keep me posted.
ASKER
cleared the queue manually on the filesystem... so my queue is clear, keeping a close eye on it
It should be fairly quick to see if the problem is resolved.
If it is, make sure anything hanging off the backup user account still works and perhaps enforce more stringent password security so that it does not happen again.
If it is, make sure anything hanging off the backup user account still works and perhaps enforce more stringent password security so that it does not happen again.
ASKER