Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

How do I tell which users are depositing spam in the exchange outbound queues?

Queues getting filled up with spam. Someone obviously has a virus. How do I tell how they got here?
0
leesobo
Asked:
leesobo
  • 6
  • 3
1 Solution
 
Alan HardistyCo-OwnerCommented:
Please have a read of my article to see if you have an NDR issue or an authenticated relay issue:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/A_2427-Problems-sending-mail-to-one-or-more-external-domains.html
0
 
leesoboAuthor Commented:
I've checked. This is not an open relay. I do believe it's coming from inside. Endpoint protection is showing all clients good.
0
 
Alan HardistyCo-OwnerCommented:
I'm not talking about an open relay - I'm talking about an authenticated relay.

Looking at the queues on your server - who are the senders of the emails?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Alan HardistyCo-OwnerCommented:
Wireshark should be able to tell you if the spam is coming from a local computer on the network:

http://www.wireshark.org/
0
 
leesoboAuthor Commented:
I've installed wireshark and have scanned. For some reason, I"m only getting packets from 1 pc sending to the server. What should I be looking at between the workstation and the Exchange server. Tried port 25. That didn't work.

The address is pcsolutions@television.com. No such address exists internally.
0
 
Alan HardistyCo-OwnerCommented:
So the sender is pcsolutions@television.com?  If that is the case - please read my article again and ramp up the logging.
0
 
Alan HardistyCo-OwnerCommented:
A quick way to be sure the problem isn't external (authenticated relay) is to remove Basic & Integrated Windows Authentication from your SMTP Virtual Server and restart the SMTP Service as per my blog article:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

hat should only allow anonymous users (mail servers) to send you mail but will cut off spammers / your external users if you have any sending your server mail via SMTP / POP3.  If you don't have any users sending you mail this way then removing those authentication methods won't cause you any issues.
0
 
leesoboAuthor Commented:
I read your article and did as suggested. How does this impact internal users trying to send mail via outlook?
0
 
Alan HardistyCo-OwnerCommented:
Internal users won't be affected.  Only External users trying to send via SMTP direct to your server (if you have any such users) will be affected, plus of you have an authenticated relay, it will stop it dead in it's tracks.

If you have lots of queues on your server, you can download aqadmcli.exe to empty the queues very quickly:

ftp://ftp.microsoft.com/pss/Tools/Exchange%20Support%20Tools/Aqadmcli/aqadmcli.exe

For usage instructions - please visit this link:

http://community.spiceworks.com/how_to/show/267
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now