Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SBS 2003 Server Sending Out Spam

Posted on 2011-02-10
13
Medium Priority
?
1,074 Views
Last Modified: 2012-05-11
We have a SBS 2003 server that is presently sending out spam on its own.

The messages appear in SMTP logs and message tracking.

The server is not open relay and we have blocked all internal and external connections to the SMTP server except from our anti-spam service (Postini).

Here is one example of what we see in the logs (some identifying data has been replaced with ***):

2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 220+mx.google.com+ESMTP+w10si3503113ibe.99 0 0 42 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 EHLO - mail.*****.com 0 0 4 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250-mx.google.com+at+your+service,+[203.45.58.17] 0 0 49 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 MAIL - FROM:<>+SIZE=3578 0 0 4 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.0+OK+w10si3503113ibe.99 0 0 31 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RCPT - TO:<*****@gmail.com> 0 0 4 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 450-4.2.1+The+user+you+are+trying+to+contact+is+receiving+mail+at+a+rate+that 0 0 77 0 24391 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RSET - - 0 0 4 0 24391 SMTP - - - -
2011-02-10 13:22:27 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.5+Flushed+w10si3503113ibe.99 0 0 36 0 24656 SMTP - - - -

There are lots of similar entries in the SMTP logs all to different addresses with various subject lines.

Server and workstations are protected with Kaspersky and full scans have been run. We also ran Malware Bytes on all. Some Malware was removed but the problem remains.

How can we determine the source of the spam, and stop it?
0
Comment
Question by:knobbylowboy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 34866754
0
 

Author Comment

by:knobbylowboy
ID: 34866799
Thanks for replying. The sending addresses are random or often and invalid username at our domain. I have turned on the diagnostic logging as requested and will monitor. Incidently I forgot to mention in my question that we already disabled all unused accounts and reset the password of all active accounts.
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34866838
I won't be able to help you with determining the source of the spam but I can definitely help you enable spam filtering on your exchange server.

Take a look at these articles. It will help you enable spam filtering.

http://support.microsoft.com/kb/821746

http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html

Also, check if you have event ID 1708 logged in the Application logs. It will tell you if any account was compromised from your domain.


Hope this helps.
Datta
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866934
Are you blacklisted anywhere on www.mxtoolbox.com/blacklists.aspx or www.blacklistalert.org ?
0
 

Author Comment

by:knobbylowboy
ID: 34867018
Back-listed on:
abuse.rfc-ignorant.org LISTED!
l1.apews.org LISTED! See why
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867056
Okay - if SMTP is blocked in / out from anyone but Postini, then you sound like you have a virus infected computer locally or remotely and the remote computer could be using RPC over HTTPS and sending it's mail securely to your server.

Do you have such users on your network?
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34867082
Go ahead and apply for delisting from these two organizations and then enable spam filtering on your exchange server if you have not done that already.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867096
NO - Do not apply for de-listing until you know what problem you are facing and have a handle on it.

If you de-list and continue to send spam, getting de-listed again will be harder.

Find the problem, tackle the problem, clear up the problem and then de-list - not before.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867177
If you're receiving messages that are for users who do not exist in your gal then you may not have recipient filtering turned on. I have used postini in the past and still had similar issues like the one your describing.

I would go through verify that you have E2k3's anti-spam filtering turned on and running.
people often over look that beucase they have a 3rd party filter service.

Then restart the transport service. also there are plenty of more steps we can do to try and fix this.  message delivery propertiesExch2k3-SpamFiltering-Screen1.PNG
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867182
Then restart the SMTP service and see if that works
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867222
@castellansolutions - This is not an inbound mail issue - it is an outbound mail issue.  If messages were being sent to invalid users and recipient filtering was not enabled, the messages in the queue would be from Postmaster, not random internal users.  If the messages were from random users not on the domain, then the problem would be an Authenticated Relay attack - it's as simple as that.

The messages in the queue are from random users and the internal domain, so this could be an authenticated relay attack or it could be an internal infection or an external infection with users sending via an authenticated username / password or via RPC over HTTPS.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867429
The sending addresses are random or often and invalid username at our domain

I took this to be (mail from: randomuser@randomdomain.com) and (rcpt to: MYrandomwronguser@mydomin.com)



0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867490
If the senders are random users not on the domain - that means an authenticated relay attack.

If the senders are invaliduser@localdomain then that would also indicate an authenticated relay attack.

What is clear, is that the attack is either authenticated or from an internal source (which can include external SMTP authenticated users or RPC over HTTPS users) or a locally infected computer sending out via Exchange, which is unusual, but not impossible.

What it isn't is external spam sent to invalid recipients because the senders would be postmaster sending back NDR messages to spoofed addresses.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question