Solved

SBS 2003 Server Sending Out Spam

Posted on 2011-02-10
13
1,052 Views
Last Modified: 2012-05-11
We have a SBS 2003 server that is presently sending out spam on its own.

The messages appear in SMTP logs and message tracking.

The server is not open relay and we have blocked all internal and external connections to the SMTP server except from our anti-spam service (Postini).

Here is one example of what we see in the logs (some identifying data has been replaced with ***):

2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 220+mx.google.com+ESMTP+w10si3503113ibe.99 0 0 42 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 EHLO - mail.*****.com 0 0 4 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250-mx.google.com+at+your+service,+[203.45.58.17] 0 0 49 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 MAIL - FROM:<>+SIZE=3578 0 0 4 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.0+OK+w10si3503113ibe.99 0 0 31 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RCPT - TO:<*****@gmail.com> 0 0 4 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 450-4.2.1+The+user+you+are+trying+to+contact+is+receiving+mail+at+a+rate+that 0 0 77 0 24391 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RSET - - 0 0 4 0 24391 SMTP - - - -
2011-02-10 13:22:27 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.5+Flushed+w10si3503113ibe.99 0 0 36 0 24656 SMTP - - - -

There are lots of similar entries in the SMTP logs all to different addresses with various subject lines.

Server and workstations are protected with Kaspersky and full scans have been run. We also ran Malware Bytes on all. Some Malware was removed but the problem remains.

How can we determine the source of the spam, and stop it?
0
Comment
Question by:knobbylowboy
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34866754
0
 

Author Comment

by:knobbylowboy
ID: 34866799
Thanks for replying. The sending addresses are random or often and invalid username at our domain. I have turned on the diagnostic logging as requested and will monitor. Incidently I forgot to mention in my question that we already disabled all unused accounts and reset the password of all active accounts.
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34866838
I won't be able to help you with determining the source of the spam but I can definitely help you enable spam filtering on your exchange server.

Take a look at these articles. It will help you enable spam filtering.

http://support.microsoft.com/kb/821746

http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html

Also, check if you have event ID 1708 logged in the Application logs. It will tell you if any account was compromised from your domain.


Hope this helps.
Datta
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866934
Are you blacklisted anywhere on www.mxtoolbox.com/blacklists.aspx or www.blacklistalert.org ?
0
 

Author Comment

by:knobbylowboy
ID: 34867018
Back-listed on:
abuse.rfc-ignorant.org LISTED!
l1.apews.org LISTED! See why
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867056
Okay - if SMTP is blocked in / out from anyone but Postini, then you sound like you have a virus infected computer locally or remotely and the remote computer could be using RPC over HTTPS and sending it's mail securely to your server.

Do you have such users on your network?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34867082
Go ahead and apply for delisting from these two organizations and then enable spam filtering on your exchange server if you have not done that already.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867096
NO - Do not apply for de-listing until you know what problem you are facing and have a handle on it.

If you de-list and continue to send spam, getting de-listed again will be harder.

Find the problem, tackle the problem, clear up the problem and then de-list - not before.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867177
If you're receiving messages that are for users who do not exist in your gal then you may not have recipient filtering turned on. I have used postini in the past and still had similar issues like the one your describing.

I would go through verify that you have E2k3's anti-spam filtering turned on and running.
people often over look that beucase they have a 3rd party filter service.

Then restart the transport service. also there are plenty of more steps we can do to try and fix this.  message delivery propertiesExch2k3-SpamFiltering-Screen1.PNG
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867182
Then restart the SMTP service and see if that works
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867222
@castellansolutions - This is not an inbound mail issue - it is an outbound mail issue.  If messages were being sent to invalid users and recipient filtering was not enabled, the messages in the queue would be from Postmaster, not random internal users.  If the messages were from random users not on the domain, then the problem would be an Authenticated Relay attack - it's as simple as that.

The messages in the queue are from random users and the internal domain, so this could be an authenticated relay attack or it could be an internal infection or an external infection with users sending via an authenticated username / password or via RPC over HTTPS.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867429
The sending addresses are random or often and invalid username at our domain

I took this to be (mail from: randomuser@randomdomain.com) and (rcpt to: MYrandomwronguser@mydomin.com)



0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867490
If the senders are random users not on the domain - that means an authenticated relay attack.

If the senders are invaliduser@localdomain then that would also indicate an authenticated relay attack.

What is clear, is that the attack is either authenticated or from an internal source (which can include external SMTP authenticated users or RPC over HTTPS users) or a locally infected computer sending out via Exchange, which is unusual, but not impossible.

What it isn't is external spam sent to invalid recipients because the senders would be postmaster sending back NDR messages to spoofed addresses.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now