Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How can you find out which machine on your network is submitting a message to Microsoft Exchange for delivery outside your network?

Posted on 2011-03-03
7
Medium Priority
?
644 Views
Last Modified: 2013-11-30
We have experienced the outbound Exchange queue being flooded with spam even though we have outbound relay disabled from any machine except the server itself.  We are trying to determine whether a machine on the network is using Outlook to send spam, but have been unable to identify the culprit.  Extensive searches of the Internet have failed to turn up any tools to track down the source.
0
Comment
Question by:URCS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35032161
You may not be an open relay, but that won't stop you being an Authenticated relay.

Please have a read of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

My blog will show you a quick ix to stop this sort of problem dead in it's tracks:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:URCS
ID: 35032224
alanhardisty,

Thank you for your response.  While the points made in your article and blog were very informative, they did not address my question.  I am specifically looking for a way to find the exact machine that has sent a particular message (or messages) to the server for delivery.
0
 
LVL 12

Accepted Solution

by:
Navdeep earned 2000 total points
ID: 35032352
First, export one such message from active queues and check the message header, what is the version of your exchange server, if it's exchange 2003 then you can copy the message from queues folder, enable ncsa logging on default smtp virtual sever. {go to properties of default smtpvirtual server and enable logging to see the connection coming from}

if you have exchange 2007 then you need to use exchange management shell command
export-message
http://technet.microsoft.com/en-us/library/aa998625%28EXCHG.80%29.aspx

enable protocol logging, verbose mode on smtp connector and receive connector

In exchange 2003 you can't really tell from protocol logging if the message is submitted via mapi because it will not be recorder in the logs.

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35032371
Who says it is a machine on your network?  I have seen this sort of problem time and again and more often than not - it is an authenticated relay that causes it.

If you believe it is a local issue - download Wireshark and sniff your network for port 25 traffic.

It could also be an external user with a virus sending across an RPC over HTTPS connection too.

There are plenty of options.  Open relay is one - but you have ruled that out.  Authenticated Relay is another and is on the increase - hence my blog article.

I manage dozens of servers and monitor the invalid login attempts on each server and some days - there are literally thousands!!!!!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35032684
I must be missing something here - any mail sent though exchange by smtp, either from inside or outside the network, will have the IP address of the sending machine in its headers. you just need to look at any mail returned as spam. I know exchange admins aren't used to seeing the headers but they are still there :)
0
 

Author Comment

by:URCS
ID: 35071255
Thank you all for your time and suggestions.  Although none of them was ultimately the solution, I truly appreciate your attention to the question.

It turned out that there were no IP addresses in the headers and none of your other suggestions worked because the problem was caused by a malicious script on the server that was dropping the messages directly into the Queue folder in the VSI 1 folder.  It took 7 hours on the phone with Microsoft, but we finally figured out the problem and resolved it by creating a new VSI 1 folder and all of it's subfolders on a different drive, deleting the old folders, and using ADSIEDIT to point Exchange to the new folder locations.
0
 

Author Closing Comment

by:URCS
ID: 35071300
Although ultimately there was no header information regarding the machine submitting the messages, that was because it was a malicious script on the server and not because the solution was invalid.  Therefore, since the solution would have worked had the messages been submitted via the "normal" mail process, I have accepted this solution and awarded the points.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question