Spam!?

Hi,

Somehow spam is leaving my network.  I have verified that I am NOT an open relay.  I have verified that I have recipient filtering setup correctly, so as not to get NDR spam.

Originally this problem started when our emails were getting blocked.  I did a black list check and found that I was on 4 black lists.  So, I knew I had my server configured correctly, so I started doing virus scans on all my workstations.  I found several workstations that had viruses.  I since have cleaned that up, or at least I think I have, but there is still spam leaving from my network.  My queue is filled with SMTP connectors, all of them trying to send from info@secretshopper.net.

From 3/25 until now, my application log is filled with MSExchange Transport errors, Event ID 3018:

A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;nostradamus@quite.dead.thanks (Message-ID <MSTSERVERQIhNADKnFh00002ae2@mydomain.com>).  
Causes: This message indicates a DNS problem or an IP address configuration problem  
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.

And Event ID 3030:

A non-delivery report with a status code of 5.1.8 was generated for recipient rfc822;spam@abo.freiepresse.de (Message-ID <MSTSERVERxjoay0q0NT00002af6@mydomain.com>).



I turned on logging a few minutes ago and I already have hundreds of MSExchange Transport warnings, Event ID 7002:

This is an SMTP protocol warning log for virtual server ID 1, connection #1409. The remote host "212.227.15.150", responded to the SMTP command "rcpt" with "421 invalid sender domain 'secretshopper.net' (misconfigured dns?)  ". The full command sent was "RCPT TO:<terinsky@denmark.de>  ".  This may cause the connection to fail.



help?   What is this?  It must be a virus on one of my workstations that I am missing?  How do I find out where these spam messages are originating from on my network?


Thanks for the help.
strick9Asked:
Who is Participating?
 
shauncroucherCommented:
If you don't have POP/IMAP, then follow Disable Authenticated Relaying instructions below:

http://www.amset.info/exchange/smtp-relaysecure.asp

Shaun
0
 
shauncroucherCommented:
No, it is not one of your workstations.

If it was a workstation, it would go out directly and wouldn't use your server.

Check for authenticated relay, change all your passwords (including admin) OR turn off authentication on your SMTP virtual server if you don't have POP/IMAP users.

Shaun
0
 
Alan HardistyCo-OwnerCommented:
My article should help you here:
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
You are most likely an authenticated relay (you have a compromised password somewhere) and my article will guide you so that you can fix the problem.
@Shaun - I have seen one particular virus that used the Exchange server to send spam out - took me by surprise, but it was a fun one to track down.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
strick9Author Commented:
Thanks for the quick reply.

I need to change every password for every user on my network?
0
 
Alan HardistyCo-OwnerCommented:
Not necessarily - my article will guide you so that you can identify the breached account, but if you don't have many users, changing them all may be quicker!
0
 
shauncroucherCommented:
Either that, or turn off authentication.

You can try turning up SMTP logging to identify which account has been comprimised if you wish.

Shaun
0
 
shauncroucherCommented:
Thanks Alan, I'm yet to see this happen myself,

Shaun
0
 
strick9Author Commented:
Thanks guys for your quick help.  The spam seems to have stopped now.  I changed the admin password, turned off authenticated relaying, and cleaned up the queues.  Seems to working so far.  I should probably changed all the passwords on my network, as there could still be a comprimised password out there.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.