Martin Radbo
asked on
Exchange server used as spam relay - how to stop?
Our customer has got complains from the broadband company that spam is sent from their IP-number.
They have a Exchange server 2003.
In the "message tracking center" in System manager, I am unable to see theese exemples of sent spam. But I can see all the normal traffic in/out from the exchange server.
What else can I do to track theese spam sent from their IP-number? And what can I do to lookup the server from outside users beeing able to relay throw this machine?
They have a Exchange server 2003.
In the "message tracking center" in System manager, I am unable to see theese exemples of sent spam. But I can see all the normal traffic in/out from the exchange server.
What else can I do to track theese spam sent from their IP-number? And what can I do to lookup the server from outside users beeing able to relay throw this machine?
> * Date: Wed, 17 Nov 2010 15:36:34 -0700
> * From: Order Pfizer Online <ifecyei4430@telia.com>
> * Subject: Hi moron, Mega discounts. They Agreement to
> * Host: XXX-XXX-XXX-XXX.customer.telia.com [XXX.XXX.XXX.XXX]
> * Reason: MULTI-BLACKLIST - [S=6 - cbl.abuseat.org bl.spamcop.net] - OurBl DynamicIP BlList - X=pascal H=XXX-XXX-XXX-XXX.customer.telia.com [XXX.XXX.XXX.XXX] HELO=[telia.com] F=[ifecyei4430@telia.com] T=[moron@politicalstrikes.com] S=[Hi moron, Mega discoun
>
> For more information about these abuse reports: http://wiki.junkemailfilter.com/index.php/Spam_abuse
> To test or be removed from our blacklist: http://ipadmin.junkemailfilter.com/remove.php?ip=XXX.XXX.XXX.XXX
ASKER
Nice article.
I tried to enable auth. logging= Full, but still nothing appears in the Application log (event viewer). I tried to log in as a normal user, sent an outbound email. I thought I would see this in the log, but I did not.
Maybe I miss something here.
I tried to enable auth. logging= Full, but still nothing appears in the Application log (event viewer). I tried to log in as a normal user, sent an outbound email. I thought I would see this in the log, but I did not.
Maybe I miss something here.
Thanks : )
Okay - maybe it won't be there to see!
Who are the senders of the emails? Administrator or random users?
Okay - maybe it won't be there to see!
Who are the senders of the emails? Administrator or random users?
ASKER
Random users!
Okay - then you have an Authenticated Relay.
Stop and restart the SMTP Service - that should force the spammer to re-authenticate and should hopefully pop up in the App Event Log.
Stop and restart the SMTP Service - that should force the spammer to re-authenticate and should hopefully pop up in the App Event Log.
ASKER
I thought the thing was to stop all attempts from outside to relay. The normal users do not user this server for smtp relay at all, they always use outlook/exchange or OWA.
I tried restarting SMTP service. Still no entries in log if a normal user sends emails. If there have been any spammers trying right now I have no idea about.
I tried restarting SMTP service. Still no entries in log if a normal user sends emails. If there have been any spammers trying right now I have no idea about.
The alternative if there are no events in the event logs is that either the server has a virus or a client on your network does.
Do you have any Anti-Spam software installed on the server?
Do you have any Anti-Spam software installed on the server?
ASKER
But one of my users in the LAN sends an email and still I can not see anything in the appl. log. Is that normal?
I do not think we have any virus causing this, I am quite sure it is "outside spammers" using the server as a smtp relay.
I do not think we have any virus causing this, I am quite sure it is "outside spammers" using the server as a smtp relay.
Okay - check your SMTP Connections on the Server:
Exchange System Manager> Servers> Protocols> SMTP> Default SMTP Virtual Server> Current Sessions
Exchange System Manager> Servers> Protocols> SMTP> Default SMTP Virtual Server> Current Sessions
Also - worth installing a trial of Vamsoft ORF if you don't have any Anti-Spam software on it - I have used it numerous to trace the account and resolve Open Relays.
www.vamsoft.com
www.vamsoft.com
ASKER
OK. There are no current sessions, maybe I missed to tell you before. But there are spammers using this server since there have been reports about it the last days.
So I need to close the ability to user that server as a relay, there are no need for that what so ever.
Anyone?
So I need to close the ability to user that server as a relay, there are no need for that what so ever.
Anyone?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Done!
I will wait and see a few days if anything more happen, before I close this question.
Thanks for your help so far.
I will wait and see a few days if anything more happen, before I close this question.
Thanks for your help so far.
No probs - only close a question down when you have a solution that works for you.
Fingers crossed for the weekend. If it continues - I am usually around so just post another comment.
Have a good weekend.
Alan
Fingers crossed for the weekend. If it continues - I am usually around so just post another comment.
Have a good weekend.
Alan
ASKER
It is hard to really know if something nasty is going on, but so far we have not received any spam-reports from anyone so I think it works now. WIll check again in a few days.
Good news - don't forget to check on www.mxtoolbox.com/blacklists.aspx to see if you are listed and if you are - if the last reported date is recent or when you made the changes to stop the relay.
If it was when you changed the settings - then you have stemmed the flood and should be able to request de-listing.
If it was when you changed the settings - then you have stemmed the flood and should be able to request de-listing.
Article:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
Blog:
http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/