?
Solved

Exchange 2003, Backup, Logs, SPAM

Posted on 2011-02-18
16
Medium Priority
?
338 Views
Last Modified: 2012-05-11
I have a VM of SBS2003 server whose hard drive is filling up very quickly.  I have added more HD space and looked around.

The Exchange logs are not being flushed out.  That's because there hadn't been a backup in some time.  So I did that last night and the logs didn't clear.

I noticed that this morning some more space was eaten up and I started refreshing -- the log was filling up FAST.

So I looked at the Exchange queues and to my horror, there it was SPAM.  Now, I locked down that server before and we hadn't had a problem for about 3 years.

The server is going to run out of space and go down again if I can't clear up space.

What do I do?  It's these logs for sure -- I have several multi-gb sized files.  Try to rerun the backup?  Delete old files?  How do I quickly stop the SPAM?


Please assist.  Thank you.

0
Comment
Question by:svillardi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34926063
first things first make sure that the retention periods are lowered so that the mail is dropped in an hour rather than 3 days. This is set on the smtp virtual server.

In the que try to identify where this is orignating from, pc, user etc. Then give the system a full av , malware scan.

I would guess that the mail is being sent out as postmaster @ yourdomain.com. Enable sender filtering and stop postmaster from being able to send email out.

Take it from there, hopefully someone else will be able to assist also.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 34927322
0
 

Author Comment

by:svillardi
ID: 34929142
OK, I see a whole bunch of virtual SMTP domains, but their all empty.  No messages.  How do I delete them and what can I do at this point?  My log is at 6gb for a small office, but looks like it's stabilized this afternoon, because the log really isn't growing.  Now, I'm on a bunch of blacklists.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34929381
If you are blacklisted - please read my article that I posted in the comment above and also check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org and see why you are listed.
0
 

Author Comment

by:svillardi
ID: 34930507
OK, all the extra virtual SMTP domains are gone.  I didn't do anything except shorten the expiring time.  I am also seeing that the log file is only slightly changed since this afternoon.  Therefore, I think the outgoing SPAM attack has stopped.

Several thoughts and questions:

Our ISP reported a couple of people forwarded emails that our server sent out.  Today's report listed our server as the sender, but also listed a quarantined virus.  My Symantec Endpoint is up to date and found a couple of things (trojan-spy.html.fraud.gen) in our (inbound) SPAM folder.  I have deleted everything in that folder as a precaution.  The ISP said that one report said that we were doing a phishing request.  Does any of this info help to determine what is actually causing the SPAM or it's orgination?  I can't see how EML files which a user never saw could activate a virus.

I have  almost 20gb of logs in my sbs2003.log folder.  I did an Exchange backup last night.  Can't I delete these old files?  What should I do?

Recipient filtering was already turned on.  I enabled maximum authentication logging, but nothing yet is showing up in my Event Viewer.

Thanks again!
0
 

Author Comment

by:svillardi
ID: 34931356
Please respond to my last post if possible.
0
 

Author Comment

by:svillardi
ID: 34931387
More info:  The logs I am talking about are in c:\program files\exchsrvr\sbs2003.log folder, which is shared.  Circular logging is enabled on the Storage Group.  That setting is in c:\program files\exchsrvr\mdbdata.  There's hardly any space taken up at this location.

Thanks again.
0
 

Author Comment

by:svillardi
ID: 34931576
Still investigating:  The sbs2003.log files are message tracking files.  By doing a search, using the message tracker tool, I can see a bunch of different senders, including the postmaster@mydomain.com and other outside addresses, such as accounts@paypal.com.

Is there a way to track what virus, either on my server or on another client may be causing this?

Thank you again for the assistance.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34932356
If the senders are Postmaster - that suggests Recipient filtering isn't working or you use a 3rd party for anti-spam filtering and they are not Recipient Filtering.

If the senders are paypal.com then you could either have a local infection or have an authenticated relay going on.

I would change ALL passwords for ALL users as a precaution and restart the SMTP service.

Scan all your computers with something like malwarebytes (www.malwarebytes.org) and remove anything that is found.

A clean anti-virus scan doesn't mean you don't have anything!!

FYI - I am currently on holiday so replies won't be coming back as fast as usual!
0
 

Author Comment

by:svillardi
ID: 34942234
The problem seemed to stop over the weekend, but now it's back.  I do not know what to do.
0
 

Author Comment

by:svillardi
ID: 34942245
I cleaned everyone in the office with malwarebytes.  I ran virus scans.  We were fine over the weekend.  Postmaster@mycompany and paypal emails keep going out.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34942743
Have you read my article yet and increased the logging?
0
 

Author Comment

by:svillardi
ID: 34944856
Yes, and I came up GOLDEN!!  Thank you!

Now for the details:

The account is actually a service account used to allow printers to scan to the file server.  How is it possible that this was hacked?  Users do not generally know the username and password to set this up, but all of our scanners user the same domain acct.

Please explain.

I have temporarily disabled the account.  I will change the password on it and re-enable.  Then will have to change all the printer settings.
0
 

Author Comment

by:svillardi
ID: 34994292
I do not understand how a brute force attack occurs.  Your article goes into how to stop the spam once it occurs, but how does it attack the firewall and get to the Exchange server?  

I'm just about ready to close this one up, and I thank you for your assistance!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34995768
A brute force attack is a user controlling a computer (usually not their own) that has a program on it that is told to try numerous username and password combinations until it finally gets one that fits.  If you have a weak password (one that can be found in a dictionary), then it won't take long to discover a password, plus if the password is a short one, then it also won't take long to crack either.

The stronger and longer your passwords, the less easy they will be to guess by a brute force attack and if you have account lockouts after a few invalid login attempts, then that will also slow down a would-be hacker.

The attack won't attack your firewall - it will find an open port, such as port 25 (SMTP) and then try using an email program (or a program such as telnet) to send millions of login attempts to your server.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question