Exchange 2003 - SMTP Connector - SPAM

Posted on 2010-08-12
Last Modified: 2013-11-30
My Exchange server is getting attacked and I cant tell where the emails are coming from.  When I go to my server and look under Queues, there is a long list of emails trying to get out.  They're spam, because there from bogus email addresses.  When I look under the properties of one of these emails, there's no way of telling me where these emails are coming from.  Most of the senders are: "PayPal"<> Obviously one of my computers is infected or I'm being hacked.  Is there an easy way of figuring out where they are coming from?  I tried Wireshark, but I'm new to it and it's hard to understand it. I tried filtering SMTP, but I couldn't pinpoint where the messages were coming from.  Thank you in advance.
Question by:nosajgbwi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 76

Accepted Solution

Alan Hardisty earned 500 total points
ID: 33422172
If the sender of the emails in your queues are not from Postmaster and are from, then you are an authenticated relay.
Please read through my article, increase the diagnostic logging, identify the account / password that has been compromised, change the password, restart the SMTP service and the problem should stop growing.
Then clear up your outbound queues, monitor for a while, then remove yourself from the blacklists that you are going to be on:
My Article:'t-send.html 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33422249
As a precaution - close down TCP Port 25 on your firewall outbound so that you are not spewing out spam.  It will also give the Blacklist sites a chance to stop re-listing you because they will stop receiving the spam and then there is more chance they will feel you have a handle on the situation.
Once you are sorted, you can open it back up again.
It is always worth having Strong Passwords on your accounts and for them to be changed regularly.  If you do not do this currently, then I would strongly recommend you do this afterwards to prevent this type of attack (which I have seen lots of recently) from happening again.  Also set account lockout policies to lock out an account where the password is tried several times unsuccessfully.
The spammers will just keep trying usernames / password combinations until they finally get in and then this will happen again if you don't tighten up your security.
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33422590
Also check if you email server is been used to send the spam, this is done by checking your sever for open relay:

I hope that would help too.

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!


Author Comment

ID: 33423260
OK, I did what your article said, but I'm still getting a queue to  All the messages are from postmaster@xxxx.local.  I went to the link about setting up the Sender and Recipient filtering, and did what it said.  Do I have it configured wrong?

I found the acct. it was using, changed the password, and restarted SMTP.  Any other suggestions?
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33423437
Did you check if you server is not an open relay as suggested by me earlier.


Author Comment

ID: 33423481
Yes, and it is not.
LVL 34

Expert Comment

by:Shreedhar Ette
ID: 33423638
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33424042
Postmaster messages are because you are not filtering recipients in your server and sending out NDR messages to invalid recipients (called backscatter).  You are therefore being bombarded with spam to invalid recipients and your server is replying to the invalid ones.
Make sure you enable Recipient Filtering on your server: 
The queues may take a while to die down.  The Cleanup article referenced in my article should help you to empty the queues fairly quickly.

Author Closing Comment

ID: 33430314
You're the coolest guy on the planet right now.
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33430351
Thanks - shame it won't last ; )
Glad it sorted you out and thanks for the points.

Featured Post

Create Professional Looking Email Signatures

Create "Professional HTML Email Signatures" with ease.
7 Day Money Back Guarantee if not 100% Satisfied.
Affordable - Try it out for 7 Days Totally Risk Free.
Installers provided for over 45 Email clients.
Both Windows & MAC Supported.
Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to:…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question