Solved

How can you find out which machine on your network is submitting a message to Microsoft Exchange for delivery outside your network?

Posted on 2011-03-03
7
593 Views
Last Modified: 2013-11-30
We have experienced the outbound Exchange queue being flooded with spam even though we have outbound relay disabled from any machine except the server itself.  We are trying to determine whether a machine on the network is using Outlook to send spam, but have been unable to identify the culprit.  Extensive searches of the Internet have failed to turn up any tools to track down the source.
0
Comment
Question by:URCS
7 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You may not be an open relay, but that won't stop you being an Authenticated relay.

Please have a read of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

My blog will show you a quick ix to stop this sort of problem dead in it's tracks:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:URCS
Comment Utility
alanhardisty,

Thank you for your response.  While the points made in your article and blog were very informative, they did not address my question.  I am specifically looking for a way to find the exact machine that has sent a particular message (or messages) to the server for delivery.
0
 
LVL 12

Accepted Solution

by:
Navdeep earned 500 total points
Comment Utility
First, export one such message from active queues and check the message header, what is the version of your exchange server, if it's exchange 2003 then you can copy the message from queues folder, enable ncsa logging on default smtp virtual sever. {go to properties of default smtpvirtual server and enable logging to see the connection coming from}

if you have exchange 2007 then you need to use exchange management shell command
export-message
http://technet.microsoft.com/en-us/library/aa998625%28EXCHG.80%29.aspx

enable protocol logging, verbose mode on smtp connector and receive connector

In exchange 2003 you can't really tell from protocol logging if the message is submitted via mapi because it will not be recorder in the logs.

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Who says it is a machine on your network?  I have seen this sort of problem time and again and more often than not - it is an authenticated relay that causes it.

If you believe it is a local issue - download Wireshark and sniff your network for port 25 traffic.

It could also be an external user with a virus sending across an RPC over HTTPS connection too.

There are plenty of options.  Open relay is one - but you have ruled that out.  Authenticated Relay is another and is on the increase - hence my blog article.

I manage dozens of servers and monitor the invalid login attempts on each server and some days - there are literally thousands!!!!!
0
 
LVL 33

Expert Comment

by:Dave Howe
Comment Utility
I must be missing something here - any mail sent though exchange by smtp, either from inside or outside the network, will have the IP address of the sending machine in its headers. you just need to look at any mail returned as spam. I know exchange admins aren't used to seeing the headers but they are still there :)
0
 

Author Comment

by:URCS
Comment Utility
Thank you all for your time and suggestions.  Although none of them was ultimately the solution, I truly appreciate your attention to the question.

It turned out that there were no IP addresses in the headers and none of your other suggestions worked because the problem was caused by a malicious script on the server that was dropping the messages directly into the Queue folder in the VSI 1 folder.  It took 7 hours on the phone with Microsoft, but we finally figured out the problem and resolved it by creating a new VSI 1 folder and all of it's subfolders on a different drive, deleting the old folders, and using ADSIEDIT to point Exchange to the new folder locations.
0
 

Author Closing Comment

by:URCS
Comment Utility
Although ultimately there was no header information regarding the machine submitting the messages, that was because it was a malicious script on the server and not because the solution was invalid.  Therefore, since the solution would have worked had the messages been submitted via the "normal" mail process, I have accepted this solution and awarded the points.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Easy CSR creation in Exchange 2007,2010 and 2013
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now