How can you find out which machine on your network is submitting a message to Microsoft Exchange for delivery outside your network?

We have experienced the outbound Exchange queue being flooded with spam even though we have outbound relay disabled from any machine except the server itself.  We are trying to determine whether a machine on the network is using Outlook to send spam, but have been unable to identify the culprit.  Extensive searches of the Internet have failed to turn up any tools to track down the source.
URCSAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
Alan HardistyCo-OwnerCommented:
You may not be an open relay, but that won't stop you being an Authenticated relay.

Please have a read of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

My blog will show you a quick ix to stop this sort of problem dead in it's tracks:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
URCSAuthor Commented:
alanhardisty,

Thank you for your response.  While the points made in your article and blog were very informative, they did not address my question.  I am specifically looking for a way to find the exact machine that has sent a particular message (or messages) to the server for delivery.
0
 
NavdeepCommented:
First, export one such message from active queues and check the message header, what is the version of your exchange server, if it's exchange 2003 then you can copy the message from queues folder, enable ncsa logging on default smtp virtual sever. {go to properties of default smtpvirtual server and enable logging to see the connection coming from}

if you have exchange 2007 then you need to use exchange management shell command
export-message
http://technet.microsoft.com/en-us/library/aa998625%28EXCHG.80%29.aspx

enable protocol logging, verbose mode on smtp connector and receive connector

In exchange 2003 you can't really tell from protocol logging if the message is submitted via mapi because it will not be recorder in the logs.

0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Alan HardistyCo-OwnerCommented:
Who says it is a machine on your network?  I have seen this sort of problem time and again and more often than not - it is an authenticated relay that causes it.

If you believe it is a local issue - download Wireshark and sniff your network for port 25 traffic.

It could also be an external user with a virus sending across an RPC over HTTPS connection too.

There are plenty of options.  Open relay is one - but you have ruled that out.  Authenticated Relay is another and is on the increase - hence my blog article.

I manage dozens of servers and monitor the invalid login attempts on each server and some days - there are literally thousands!!!!!
0
 
Dave HoweSoftware and Hardware EngineerCommented:
I must be missing something here - any mail sent though exchange by smtp, either from inside or outside the network, will have the IP address of the sending machine in its headers. you just need to look at any mail returned as spam. I know exchange admins aren't used to seeing the headers but they are still there :)
0
 
URCSAuthor Commented:
Thank you all for your time and suggestions.  Although none of them was ultimately the solution, I truly appreciate your attention to the question.

It turned out that there were no IP addresses in the headers and none of your other suggestions worked because the problem was caused by a malicious script on the server that was dropping the messages directly into the Queue folder in the VSI 1 folder.  It took 7 hours on the phone with Microsoft, but we finally figured out the problem and resolved it by creating a new VSI 1 folder and all of it's subfolders on a different drive, deleting the old folders, and using ADSIEDIT to point Exchange to the new folder locations.
0
 
URCSAuthor Commented:
Although ultimately there was no header information regarding the machine submitting the messages, that was because it was a malicious script on the server and not because the solution was invalid.  Therefore, since the solution would have worked had the messages been submitted via the "normal" mail process, I have accepted this solution and awarded the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.