Exchange 2003 - SMTP Connector - SPAM

My Exchange server is getting attacked and I cant tell where the emails are coming from.  When I go to my server and look under Queues, there is a long list of emails trying to get out.  They're spam, because there from bogus email addresses.  When I look under the properties of one of these emails, there's no way of telling me where these emails are coming from.  Most of the senders are: "PayPal"<accnt.dta@ppal.com> Obviously one of my computers is infected or I'm being hacked.  Is there an easy way of figuring out where they are coming from?  I tried Wireshark, but I'm new to it and it's hard to understand it. I tried filtering SMTP, but I couldn't pinpoint where the messages were coming from.  Thank you in advance.
nosajgbwiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
If the sender of the emails in your queues are not from Postmaster and are from ppal.com, then you are an authenticated relay.
Please read through my article, increase the diagnostic logging, identify the account / password that has been compromised, change the password, restart the SMTP service and the problem should stop growing.
Then clear up your outbound queues, monitor for a while, then remove yourself from the blacklists that you are going to be on:
www.mxtoolbox.com/blacklists.aspx
My Article:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan HardistyCo-OwnerCommented:
As a precaution - close down TCP Port 25 on your firewall outbound so that you are not spewing out spam.  It will also give the Blacklist sites a chance to stop re-listing you because they will stop receiving the spam and then there is more chance they will feel you have a handle on the situation.
Once you are sorted, you can open it back up again.
It is always worth having Strong Passwords on your accounts and for them to be changed regularly.  If you do not do this currently, then I would strongly recommend you do this afterwards to prevent this type of attack (which I have seen lots of recently) from happening again.  Also set account lockout policies to lock out an account where the password is tried several times unsuccessfully.
The spammers will just keep trying usernames / password combinations until they finally get in and then this will happen again if you don't tighten up your security.
0
Sudeep SharmaTechnical DesignerCommented:
Also check if you email server is been used to send the spam, this is done by checking your sever for open relay:

http://www.mxtoolbox.com/diagnostic.aspx
http://www.spamhelp.org/shopenrelay/
http://www.checkor.com/

I hope that would help too.

Sudeep
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

nosajgbwiAuthor Commented:
OK, I did what your article said, but I'm still getting a queue to ppal.com.  All the messages are from postmaster@xxxx.local.  I went to the link about setting up the Sender and Recipient filtering, and did what it said.  Do I have it configured wrong?

I found the acct. it was using, changed the password, and restarted SMTP.  Any other suggestions?
0
Sudeep SharmaTechnical DesignerCommented:
Did you check if you server is not an open relay as suggested by me earlier.

Sudeep
0
nosajgbwiAuthor Commented:
Yes, and it is not.
0
Alan HardistyCo-OwnerCommented:
Postmaster messages are because you are not filtering recipients in your server and sending out NDR messages to invalid recipients (called backscatter).  You are therefore being bombarded with spam to invalid recipients and your server is replying to the invalid ones.
Make sure you enable Recipient Filtering on your server:
http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html 
The queues may take a while to die down.  The Cleanup article referenced in my article should help you to empty the queues fairly quickly.
0
nosajgbwiAuthor Commented:
You're the coolest guy on the planet right now.
0
Alan HardistyCo-OwnerCommented:
Thanks - shame it won't last ; )
Glad it sorted you out and thanks for the points.
Alan
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.