[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

Tracking internal spam, exchange 2003

Recently one of my clients email servers was blacklisted by a few databases, and after looking into this issue,i found that their outgoing email queues were larger than normal.  Also, the destination domains are mostly random, non existant domains.  I believe something internal is sending out mass spam email, however, i have no way to pinpoint where this traffic is coming from.  Any ideas?  So far i have done the following:

enabled logging on the smtp virtual server
took a packet capture using wireshark

everything shows the originator as the mail server, which i would expect....but i want to be able to see where the requests originate.
0
Axyon
Asked:
Axyon
  • 8
  • 7
1 Solution
 
Alan HardistyCommented:
Please have a look at my faq for this very problem:
http://www.it-eye.co.uk/faqs/readQuestion.php?qid=4
0
 
AxyonAuthor Commented:
the problem is not backscatter.  So i have turned on the authentication logging in exchange, however, the app log is full of ndr reports.  hard to make sense of the app log.
0
 
Alan HardistyCommented:
Don't recall my faq talking about backscatter!

Are the senders of the emails administrator or random senders?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
AxyonAuthor Commented:
there are two consistant "senders", who are not domain members and look to crap....."Egg Bank Plc"  and "Natwest"
0
 
Alan HardistyCommented:
Then you are most likely an authenticated relay.

Please turn on diagnostic logging as per my faq and monitor the Application Log to see which account has been compromised.
0
 
AxyonAuthor Commented:
i already have see above post " So i have turned on the authentication logging in exchange, however, the app log is full of ndr reports.  hard to make sense of the app log."
0
 
Alan HardistyCommented:
Save it if you want to and clear the log. It will make it easier to see what is going on.
0
 
AxyonAuthor Commented:
I did find an entry in the app log that the SBS Backup user successfully authenticated.....so i have disabled that account.  i'm getting flooded with smtp protocol warnings that say that the smtp connection has been dropped to all kinds of external smtp servers.
0
 
Alan HardistyCommented:
The backup account should not be used. Please change the password, restat simple mail tranfer protocol and then enable the backup account.
0
 
AxyonAuthor Commented:
i've reset the password and disabled the sbs user backup account.  I still believe that something is still sending out spam email as i can see all kinds of remote smtp connections in my app log that are getting denied.
0
 
Alan HardistyCommented:
That will be the spammers trying to abuse your server and is to be expected.

Clear out your queues that are bogus and monitor them.  Once you are happy that you are not being abused anymore, turn off the diagnostic logging and relax.
0
 
AxyonAuthor Commented:
yea, i was thinking that disabling the compromised account would stop the smtp connections......i have about 1500 queus to clear....so i set the ndr timeout to 5 minutes, hopefully they will take care of themselves.
0
 
Alan HardistyCommented:
That's cheating ;) but a nice idea.

Please keep me posted.
0
 
AxyonAuthor Commented:
cleared the queue manually on the filesystem...  so my queue is clear, keeping a close eye on it
0
 
Alan HardistyCommented:
It should be fairly quick to see if the problem is resolved.

If it is, make sure anything hanging off the backup user account still works and perhaps enforce more stringent password security so that it does not happen again.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now