exchange 2003 logs filled with spam trying to send out

Hi,
     We have an sbs 2003 box running exchange 2003. We have recently changed provides and have switched the e-mail to send out using dns as opposed to a smart host. Since doing that I noticed the SMTP queues started filling up with typical spam addresses. They weren't from postmaster but rather lead to an open relay spam attack.

I have since closed up all open relay holes and done an open relay test via dnsgoodies.com and all appears to be fine. There's no more spam in the SMTP queues but I suspected something was still going on so I've run wireshark on tcp 25 traffic and noticed that spam email is still trying to get out every 2-3 seconds and my exchange logs are filling up because of the amount of messages. (Roughly 3gb each day for the past couple of days)

I have done multiple scans on each of the PCs to determine if any had any spyware that may be causing this. I've attached a capture of wireshark to show traffic along with a snippet of the exchange log which shows the e-mail trying to go out.

Any help would be appreciated.
Server-hostname	server-IP	Recipient-Address	Event-ID	MSGID	Priority	Recipient-Report-Status	total-bytes	Number-Recipients	Origination-Time	Encryption	service-Version	Linked-MSGID	Message-Subject	Sender-Address
SERVER-1	10.1.1.2	chixuankai@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	chern.feng@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	bnn_no1@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	ceroeria@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	chouyang24@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	cattyonline2005@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	bteno@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	chichiteur@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	ccrjt@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	cocoa-66@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	c591218@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	crazyhorn999@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	cjvd@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	cbshlove6282@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	cmt380525@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	candynicestar@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	cert_mcse@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	chen_raymond33@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	chueh76@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	bubblerainss@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net
SERVER-1	10.1.1.2	dicky0307@yahoo.com.tw	1025	UMYFVKKDBJNYUHYUBPGNE@ms13.hinet.net	3	0	4042	55	2010-3-30 2:19:49 GMT	0	Version: 6.0.3790.3959	-	-	keirwktgvne@ms13.hinet.net

Open in new window

wireshark.JPG
walksm8Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
walksm8Connect With a Mentor Author Commented:
OK ended up solving this one. Upon further investigation I noticed that port 25 was open to all the computers on the network so I restricted it to only be open from the server. Upon doing so the traffic seems to have returned to normal and it has given me a chance to clean up the infected pc.

0
 
shauncroucherCommented:
it wont be from a workstation. probably authenticated relay where username and password is used to send mail through your server. change passwords on user accounts and turn off authentication if you dont have pop or imap users.

shaun
0
 
walksm8Author Commented:
I've gone down the authentication relay path and that didn't bring anything up. All users have had their passwords changed and authentication is turned off.

I turned on SMTP logging and waited for the appropriate log in eventvwr to tell me which account might be authenticated but nothing showed up.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
shauncroucherCommented:
it will be either open relay or authenticated. what does wireshark show for smtp conversations? i cant see using mobile.

shaun
0
 
walksm8Author Commented:
Here's another capture:

10.1.1.2      10.1.1.4      SMTP      S: 220 wtf.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at  Wed, 31 Mar 2010 10:09:40 +1000
10.1.1.4      10.1.1.2      SMTP      C: HELO WAN IP
10.1.1.2      10.1.1.4      SMTP      S: 250 wtf.com Hello [10.1.1.4]
10.1.1.4      10.1.1.2      SMTP      C: MAIL FROM: <guuas@ms62.hinet.net>
10.1.1.2      10.1.1.4      SMTP      S: 250 2.1.0 guuas@ms62.hinet.net....Sender OK
10.1.1.4      10.1.1.2      SMTP      C: RCPT TO: <ljs2536@yahoo.com.tw>
10.1.1.2      10.1.1.4      TCP      smtp > elvin_server [ACK] Seq=201 Ack=90 Win=65446 Len=0

A few captures down it then has this.

10.1.1.2      10.1.1.4      SMTP      S: 550 5.7.1 Unable to relay for ljs2536@yahoo.com.tw

As I mentioned earlier the concern is not that the e-mail is getting out because I don't think they are based on what wireshark is capturing but it's more so the fact that the logs on the server are becoming evidently big & something is causing it to keep trying to send out.
0
 
shauncroucherCommented:
this is normal, you cant stop your server from having these conversations with the outside world, otherwise how does it know what is genuine mail? it has rejected this at the smtp level so that is normal. if it becoming a problem (and this can happen with badly saturated domain names) you should move to hosted email hygiene service for them to manage the connections and forward mail to you.

shaun
0
 
walksm8Author Commented:
Hi shaun,
                Am I correct in saying that this spam e-mail is originating at our exchange server and then trying to get out?  
0
 
shauncroucherCommented:
spam from the PC's would not have been going through the server unless you use the server as a router / proxy also.

The snapshot SMTP conversation you posted was a normal rejection from an outside attempt to relay.

Shaun
0
All Courses

From novice to tech pro — start learning today.