Solved

SBS 2003 Server Sending Out Spam

Posted on 2011-02-10
13
1,064 Views
Last Modified: 2012-05-11
We have a SBS 2003 server that is presently sending out spam on its own.

The messages appear in SMTP logs and message tracking.

The server is not open relay and we have blocked all internal and external connections to the SMTP server except from our anti-spam service (Postini).

Here is one example of what we see in the logs (some identifying data has been replaced with ***):

2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 220+mx.google.com+ESMTP+w10si3503113ibe.99 0 0 42 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 EHLO - mail.*****.com 0 0 4 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250-mx.google.com+at+your+service,+[203.45.58.17] 0 0 49 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 MAIL - FROM:<>+SIZE=3578 0 0 4 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.0+OK+w10si3503113ibe.99 0 0 31 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RCPT - TO:<*****@gmail.com> 0 0 4 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 450-4.2.1+The+user+you+are+trying+to+contact+is+receiving+mail+at+a+rate+that 0 0 77 0 24391 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RSET - - 0 0 4 0 24391 SMTP - - - -
2011-02-10 13:22:27 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.5+Flushed+w10si3503113ibe.99 0 0 36 0 24656 SMTP - - - -

There are lots of similar entries in the SMTP logs all to different addresses with various subject lines.

Server and workstations are protected with Kaspersky and full scans have been run. We also ran Malware Bytes on all. Some Malware was removed but the problem remains.

How can we determine the source of the spam, and stop it?
0
Comment
Question by:knobbylowboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34866754
0
 

Author Comment

by:knobbylowboy
ID: 34866799
Thanks for replying. The sending addresses are random or often and invalid username at our domain. I have turned on the diagnostic logging as requested and will monitor. Incidently I forgot to mention in my question that we already disabled all unused accounts and reset the password of all active accounts.
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34866838
I won't be able to help you with determining the source of the spam but I can definitely help you enable spam filtering on your exchange server.

Take a look at these articles. It will help you enable spam filtering.

http://support.microsoft.com/kb/821746

http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html

Also, check if you have event ID 1708 logged in the Application logs. It will tell you if any account was compromised from your domain.


Hope this helps.
Datta
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866934
Are you blacklisted anywhere on www.mxtoolbox.com/blacklists.aspx or www.blacklistalert.org ?
0
 

Author Comment

by:knobbylowboy
ID: 34867018
Back-listed on:
abuse.rfc-ignorant.org LISTED!
l1.apews.org LISTED! See why
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867056
Okay - if SMTP is blocked in / out from anyone but Postini, then you sound like you have a virus infected computer locally or remotely and the remote computer could be using RPC over HTTPS and sending it's mail securely to your server.

Do you have such users on your network?
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34867082
Go ahead and apply for delisting from these two organizations and then enable spam filtering on your exchange server if you have not done that already.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867096
NO - Do not apply for de-listing until you know what problem you are facing and have a handle on it.

If you de-list and continue to send spam, getting de-listed again will be harder.

Find the problem, tackle the problem, clear up the problem and then de-list - not before.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867177
If you're receiving messages that are for users who do not exist in your gal then you may not have recipient filtering turned on. I have used postini in the past and still had similar issues like the one your describing.

I would go through verify that you have E2k3's anti-spam filtering turned on and running.
people often over look that beucase they have a 3rd party filter service.

Then restart the transport service. also there are plenty of more steps we can do to try and fix this.  message delivery propertiesExch2k3-SpamFiltering-Screen1.PNG
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867182
Then restart the SMTP service and see if that works
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867222
@castellansolutions - This is not an inbound mail issue - it is an outbound mail issue.  If messages were being sent to invalid users and recipient filtering was not enabled, the messages in the queue would be from Postmaster, not random internal users.  If the messages were from random users not on the domain, then the problem would be an Authenticated Relay attack - it's as simple as that.

The messages in the queue are from random users and the internal domain, so this could be an authenticated relay attack or it could be an internal infection or an external infection with users sending via an authenticated username / password or via RPC over HTTPS.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867429
The sending addresses are random or often and invalid username at our domain

I took this to be (mail from: randomuser@randomdomain.com) and (rcpt to: MYrandomwronguser@mydomin.com)



0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867490
If the senders are random users not on the domain - that means an authenticated relay attack.

If the senders are invaliduser@localdomain then that would also indicate an authenticated relay attack.

What is clear, is that the attack is either authenticated or from an internal source (which can include external SMTP authenticated users or RPC over HTTPS users) or a locally infected computer sending out via Exchange, which is unusual, but not impossible.

What it isn't is external spam sent to invalid recipients because the senders would be postmaster sending back NDR messages to spoofed addresses.
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question