How can you find out which machine on your network is submitting a message to Microsoft Exchange for delivery outside your network?

We have experienced the outbound Exchange queue being flooded with spam even though we have outbound relay disabled from any machine except the server itself.  We are trying to determine whether a machine on the network is using Outlook to send spam, but have been unable to identify the culprit.  Extensive searches of the Internet have failed to turn up any tools to track down the source.
URCSAsked:
Who is Participating?
 
NavdeepConnect With a Mentor Commented:
First, export one such message from active queues and check the message header, what is the version of your exchange server, if it's exchange 2003 then you can copy the message from queues folder, enable ncsa logging on default smtp virtual sever. {go to properties of default smtpvirtual server and enable logging to see the connection coming from}

if you have exchange 2007 then you need to use exchange management shell command
export-message
http://technet.microsoft.com/en-us/library/aa998625%28EXCHG.80%29.aspx

enable protocol logging, verbose mode on smtp connector and receive connector

In exchange 2003 you can't really tell from protocol logging if the message is submitted via mapi because it will not be recorder in the logs.

0
 
Alan HardistyCo-OwnerCommented:
You may not be an open relay, but that won't stop you being an Authenticated relay.

Please have a read of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

My blog will show you a quick ix to stop this sort of problem dead in it's tracks:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
URCSAuthor Commented:
alanhardisty,

Thank you for your response.  While the points made in your article and blog were very informative, they did not address my question.  I am specifically looking for a way to find the exact machine that has sent a particular message (or messages) to the server for delivery.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Alan HardistyCo-OwnerCommented:
Who says it is a machine on your network?  I have seen this sort of problem time and again and more often than not - it is an authenticated relay that causes it.

If you believe it is a local issue - download Wireshark and sniff your network for port 25 traffic.

It could also be an external user with a virus sending across an RPC over HTTPS connection too.

There are plenty of options.  Open relay is one - but you have ruled that out.  Authenticated Relay is another and is on the increase - hence my blog article.

I manage dozens of servers and monitor the invalid login attempts on each server and some days - there are literally thousands!!!!!
0
 
Dave HoweSoftware and Hardware EngineerCommented:
I must be missing something here - any mail sent though exchange by smtp, either from inside or outside the network, will have the IP address of the sending machine in its headers. you just need to look at any mail returned as spam. I know exchange admins aren't used to seeing the headers but they are still there :)
0
 
URCSAuthor Commented:
Thank you all for your time and suggestions.  Although none of them was ultimately the solution, I truly appreciate your attention to the question.

It turned out that there were no IP addresses in the headers and none of your other suggestions worked because the problem was caused by a malicious script on the server that was dropping the messages directly into the Queue folder in the VSI 1 folder.  It took 7 hours on the phone with Microsoft, but we finally figured out the problem and resolved it by creating a new VSI 1 folder and all of it's subfolders on a different drive, deleting the old folders, and using ADSIEDIT to point Exchange to the new folder locations.
0
 
URCSAuthor Commented:
Although ultimately there was no header information regarding the machine submitting the messages, that was because it was a malicious script on the server and not because the solution was invalid.  Therefore, since the solution would have worked had the messages been submitted via the "normal" mail process, I have accepted this solution and awarded the points.
0
All Courses

From novice to tech pro — start learning today.