Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

SBS 2003 Server Sending Out Spam

Posted on 2011-02-10
13
Medium Priority
?
1,083 Views
Last Modified: 2012-05-11
We have a SBS 2003 server that is presently sending out spam on its own.

The messages appear in SMTP logs and message tracking.

The server is not open relay and we have blocked all internal and external connections to the SMTP server except from our anti-spam service (Postini).

Here is one example of what we see in the logs (some identifying data has been replaced with ***):

2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 220+mx.google.com+ESMTP+w10si3503113ibe.99 0 0 42 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 EHLO - mail.*****.com 0 0 4 0 23578 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250-mx.google.com+at+your+service,+[203.45.58.17] 0 0 49 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 MAIL - FROM:<>+SIZE=3578 0 0 4 0 23844 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.0+OK+w10si3503113ibe.99 0 0 31 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RCPT - TO:<*****@gmail.com> 0 0 4 0 24109 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 450-4.2.1+The+user+you+are+trying+to+contact+is+receiving+mail+at+a+rate+that 0 0 77 0 24391 SMTP - - - -
2011-02-10 13:22:26 209.85.225.27 OutboundConnectionCommand SMTPSVC1 SERVER - 25 RSET - - 0 0 4 0 24391 SMTP - - - -
2011-02-10 13:22:27 209.85.225.27 OutboundConnectionResponse SMTPSVC1 SERVER - 25 - - 250+2.1.5+Flushed+w10si3503113ibe.99 0 0 36 0 24656 SMTP - - - -

There are lots of similar entries in the SMTP logs all to different addresses with various subject lines.

Server and workstations are protected with Kaspersky and full scans have been run. We also ran Malware Bytes on all. Some Malware was removed but the problem remains.

How can we determine the source of the spam, and stop it?
0
Comment
Question by:knobbylowboy
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 34866754
0
 

Author Comment

by:knobbylowboy
ID: 34866799
Thanks for replying. The sending addresses are random or often and invalid username at our domain. I have turned on the diagnostic logging as requested and will monitor. Incidently I forgot to mention in my question that we already disabled all unused accounts and reset the password of all active accounts.
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34866838
I won't be able to help you with determining the source of the spam but I can definitely help you enable spam filtering on your exchange server.

Take a look at these articles. It will help you enable spam filtering.

http://support.microsoft.com/kb/821746

http://www.msexchange.org/tutorials/Microsoft-Small-Business-Server-2003-Spam-Filtering.html

Also, check if you have event ID 1708 logged in the Application logs. It will tell you if any account was compromised from your domain.


Hope this helps.
Datta
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866934
Are you blacklisted anywhere on www.mxtoolbox.com/blacklists.aspx or www.blacklistalert.org ?
0
 

Author Comment

by:knobbylowboy
ID: 34867018
Back-listed on:
abuse.rfc-ignorant.org LISTED!
l1.apews.org LISTED! See why
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867056
Okay - if SMTP is blocked in / out from anyone but Postini, then you sound like you have a virus infected computer locally or remotely and the remote computer could be using RPC over HTTPS and sending it's mail securely to your server.

Do you have such users on your network?
0
 
LVL 2

Expert Comment

by:dattatraykadam
ID: 34867082
Go ahead and apply for delisting from these two organizations and then enable spam filtering on your exchange server if you have not done that already.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867096
NO - Do not apply for de-listing until you know what problem you are facing and have a handle on it.

If you de-list and continue to send spam, getting de-listed again will be harder.

Find the problem, tackle the problem, clear up the problem and then de-list - not before.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867177
If you're receiving messages that are for users who do not exist in your gal then you may not have recipient filtering turned on. I have used postini in the past and still had similar issues like the one your describing.

I would go through verify that you have E2k3's anti-spam filtering turned on and running.
people often over look that beucase they have a 3rd party filter service.

Then restart the transport service. also there are plenty of more steps we can do to try and fix this.  message delivery propertiesExch2k3-SpamFiltering-Screen1.PNG
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867182
Then restart the SMTP service and see if that works
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867222
@castellansolutions - This is not an inbound mail issue - it is an outbound mail issue.  If messages were being sent to invalid users and recipient filtering was not enabled, the messages in the queue would be from Postmaster, not random internal users.  If the messages were from random users not on the domain, then the problem would be an Authenticated Relay attack - it's as simple as that.

The messages in the queue are from random users and the internal domain, so this could be an authenticated relay attack or it could be an internal infection or an external infection with users sending via an authenticated username / password or via RPC over HTTPS.
0
 
LVL 6

Expert Comment

by:castellansolutions
ID: 34867429
The sending addresses are random or often and invalid username at our domain

I took this to be (mail from: randomuser@randomdomain.com) and (rcpt to: MYrandomwronguser@mydomin.com)



0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34867490
If the senders are random users not on the domain - that means an authenticated relay attack.

If the senders are invaliduser@localdomain then that would also indicate an authenticated relay attack.

What is clear, is that the attack is either authenticated or from an internal source (which can include external SMTP authenticated users or RPC over HTTPS users) or a locally infected computer sending out via Exchange, which is unusual, but not impossible.

What it isn't is external spam sent to invalid recipients because the senders would be postmaster sending back NDR messages to spoofed addresses.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There can be many situations demanding the conversion of Outlook OST files to PST format and as such, there is no shortage of automated tools to perform this conversion. However, what makes Stellar OST to PST converter stand above the rest? Let us e…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question