Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange server used as spam relay - how to stop?

Posted on 2010-11-19
16
Medium Priority
?
652 Views
Last Modified: 2012-05-10
Our customer has got complains from the broadband company that spam is sent from their IP-number.

They have a Exchange server 2003.

In the "message tracking center" in System manager, I am unable to see theese exemples of sent spam. But I can see all the normal traffic in/out from the exchange server.

What else can I do to track theese spam sent from their IP-number? And what can I do to lookup the server from outside users beeing able to relay throw this machine?
> * Date: Wed, 17 Nov 2010 15:36:34 -0700
> * From: Order Pfizer Online <ifecyei4430@telia.com>
> * Subject: Hi moron, Mega discounts. They Agreement to
> * Host: XXX-XXX-XXX-XXX.customer.telia.com [XXX.XXX.XXX.XXX]
> * Reason: MULTI-BLACKLIST - [S=6 - cbl.abuseat.org bl.spamcop.net] - OurBl DynamicIP BlList - X=pascal H=XXX-XXX-XXX-XXX.customer.telia.com [XXX.XXX.XXX.XXX] HELO=[telia.com] F=[ifecyei4430@telia.com] T=[moron@politicalstrikes.com] S=[Hi moron, Mega discoun
> 
> For more information about these abuse reports: http://wiki.junkemailfilter.com/index.php/Spam_abuse
> To test or be removed from our blacklist: http://ipadmin.junkemailfilter.com/remove.php?ip=XXX.XXX.XXX.XXX

Open in new window

0
Comment
Question by:Martin_Radbo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 

Author Comment

by:Martin_Radbo
ID: 34173912
Nice article.

I tried to enable auth. logging= Full, but still nothing appears in the Application log (event viewer). I tried to log in as a normal user, sent an outbound email. I thought I would see this in the log, but I did not.

Maybe I miss something here.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34173994
Thanks : )

Okay - maybe it won't be there to see!

Who are the senders of the emails?  Administrator or random users?
0
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

 

Author Comment

by:Martin_Radbo
ID: 34174091
Random users!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34174120
Okay - then you have an Authenticated Relay.

Stop and restart the SMTP Service - that should force the spammer to re-authenticate and should hopefully pop up in the App Event Log.
0
 

Author Comment

by:Martin_Radbo
ID: 34174190
I thought the thing was to stop all attempts from outside to relay. The normal users do not user this server for smtp relay at all, they always use outlook/exchange or OWA.

I tried restarting SMTP service. Still no entries in log if a normal user sends emails. If there have been any spammers trying right now I have no idea about.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34174272
The alternative if there are no events in the event logs is that either the server has a virus or a client on your network does.

Do you have any Anti-Spam software installed on the server?
0
 

Author Comment

by:Martin_Radbo
ID: 34174574
But one of my users in the LAN sends an email and still I can not see anything in the appl. log. Is that normal?  

I do not think we have any virus causing this, I am quite sure it is "outside spammers" using the server as a smtp relay.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34174611
Okay - check your SMTP Connections on the Server:

Exchange System Manager> Servers> Protocols> SMTP> Default SMTP Virtual Server> Current Sessions
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34174616
Also - worth installing a trial of Vamsoft ORF if you don't have any Anti-Spam software on it - I have used it numerous to trace the account and resolve Open Relays.

www.vamsoft.com
0
 

Author Comment

by:Martin_Radbo
ID: 34174757
OK. There are no current sessions, maybe I missed to tell you before. But there are spammers using this server since there have been reports about it the last days.

So I need to close the ability to user that server as a relay, there are no need for that what so ever.
Anyone?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 34174785
Okay - on the Default SMTP Virtual Server Properties> Access Tab> Relay Button - Make sure Only The List Below is Selected and empty apart from the Server IP address and that "Allow all computers which successfully authenticate to relay, regardless of the list above" is not ticked.

Then click on the Users button and make sure that is empty too apart from Authenticated Users and that Relay is not ticked.

Click OK and then restart the SMTP Service.
0
 

Author Comment

by:Martin_Radbo
ID: 34175109
Done!

I will wait and see a few days if anything more happen, before I close this question.

Thanks for your help so far.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34175127
No probs - only close a question down when you have a solution that works for you.

Fingers crossed for the weekend.  If it continues - I am usually around so just post another comment.

Have a good weekend.

Alan
0
 

Author Comment

by:Martin_Radbo
ID: 34203335
It is hard to really know if something nasty is going on, but so far we have not received any spam-reports from anyone so I think it works now. WIll check again in a few days.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34204238
Good news - don't forget to check on www.mxtoolbox.com/blacklists.aspx to see if you are listed and if you are - if the last reported date is recent or when you made the changes to stop the relay.

If it was when you changed the settings - then you have stemmed the flood and should be able to request de-listing.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question