Spam!?

Hi,

Somehow spam is leaving my network.  I have verified that I am NOT an open relay.  I have verified that I have recipient filtering setup correctly, so as not to get NDR spam.

Originally this problem started when our emails were getting blocked.  I did a black list check and found that I was on 4 black lists.  So, I knew I had my server configured correctly, so I started doing virus scans on all my workstations.  I found several workstations that had viruses.  I since have cleaned that up, or at least I think I have, but there is still spam leaving from my network.  My queue is filled with SMTP connectors, all of them trying to send from info@secretshopper.net.

From 3/25 until now, my application log is filled with MSExchange Transport errors, Event ID 3018:

A non-delivery report with a status code of 5.4.0 was generated for recipient rfc822;nostradamus@quite.dead.thanks (Message-ID <MSTSERVERQIhNADKnFh00002ae2@mydomain.com>).  
Causes: This message indicates a DNS problem or an IP address configuration problem  
Solution: Check the DNS using nslookup or dnsq. Verify the IP address is in IPv4 literal format.

And Event ID 3030:

A non-delivery report with a status code of 5.1.8 was generated for recipient rfc822;spam@abo.freiepresse.de (Message-ID <MSTSERVERxjoay0q0NT00002af6@mydomain.com>).



I turned on logging a few minutes ago and I already have hundreds of MSExchange Transport warnings, Event ID 7002:

This is an SMTP protocol warning log for virtual server ID 1, connection #1409. The remote host "212.227.15.150", responded to the SMTP command "rcpt" with "421 invalid sender domain 'secretshopper.net' (misconfigured dns?)  ". The full command sent was "RCPT TO:<terinsky@denmark.de>  ".  This may cause the connection to fail.



help?   What is this?  It must be a virus on one of my workstations that I am missing?  How do I find out where these spam messages are originating from on my network?


Thanks for the help.
strick9Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shauncroucherCommented:
No, it is not one of your workstations.

If it was a workstation, it would go out directly and wouldn't use your server.

Check for authenticated relay, change all your passwords (including admin) OR turn off authentication on your SMTP virtual server if you don't have POP/IMAP users.

Shaun
0
shauncroucherCommented:
If you don't have POP/IMAP, then follow Disable Authenticated Relaying instructions below:

http://www.amset.info/exchange/smtp-relaysecure.asp

Shaun
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
My article should help you here:
http://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
You are most likely an authenticated relay (you have a compromised password somewhere) and my article will guide you so that you can fix the problem.
@Shaun - I have seen one particular virus that used the Exchange server to send spam out - took me by surprise, but it was a fun one to track down.
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

strick9Author Commented:
Thanks for the quick reply.

I need to change every password for every user on my network?
0
Alan HardistyCo-OwnerCommented:
Not necessarily - my article will guide you so that you can identify the breached account, but if you don't have many users, changing them all may be quicker!
0
shauncroucherCommented:
Either that, or turn off authentication.

You can try turning up SMTP logging to identify which account has been comprimised if you wish.

Shaun
0
shauncroucherCommented:
Thanks Alan, I'm yet to see this happen myself,

Shaun
0
strick9Author Commented:
Thanks guys for your quick help.  The spam seems to have stopped now.  I changed the admin password, turned off authenticated relaying, and cleaned up the queues.  Seems to working so far.  I should probably changed all the passwords on my network, as there could still be a comprimised password out there.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.