Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 646
  • Last Modified:

How can you find out which machine on your network is submitting a message to Microsoft Exchange for delivery outside your network?

We have experienced the outbound Exchange queue being flooded with spam even though we have outbound relay disabled from any machine except the server itself.  We are trying to determine whether a machine on the network is using Outlook to send spam, but have been unable to identify the culprit.  Extensive searches of the Internet have failed to turn up any tools to track down the source.
0
URCS
Asked:
URCS
1 Solution
 
Alan HardistyCommented:
You may not be an open relay, but that won't stop you being an Authenticated relay.

Please have a read of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

My blog will show you a quick ix to stop this sort of problem dead in it's tracks:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
URCSAuthor Commented:
alanhardisty,

Thank you for your response.  While the points made in your article and blog were very informative, they did not address my question.  I am specifically looking for a way to find the exact machine that has sent a particular message (or messages) to the server for delivery.
0
 
NavdeepCommented:
First, export one such message from active queues and check the message header, what is the version of your exchange server, if it's exchange 2003 then you can copy the message from queues folder, enable ncsa logging on default smtp virtual sever. {go to properties of default smtpvirtual server and enable logging to see the connection coming from}

if you have exchange 2007 then you need to use exchange management shell command
export-message
http://technet.microsoft.com/en-us/library/aa998625%28EXCHG.80%29.aspx

enable protocol logging, verbose mode on smtp connector and receive connector

In exchange 2003 you can't really tell from protocol logging if the message is submitted via mapi because it will not be recorder in the logs.

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Alan HardistyCommented:
Who says it is a machine on your network?  I have seen this sort of problem time and again and more often than not - it is an authenticated relay that causes it.

If you believe it is a local issue - download Wireshark and sniff your network for port 25 traffic.

It could also be an external user with a virus sending across an RPC over HTTPS connection too.

There are plenty of options.  Open relay is one - but you have ruled that out.  Authenticated Relay is another and is on the increase - hence my blog article.

I manage dozens of servers and monitor the invalid login attempts on each server and some days - there are literally thousands!!!!!
0
 
Dave HoweCommented:
I must be missing something here - any mail sent though exchange by smtp, either from inside or outside the network, will have the IP address of the sending machine in its headers. you just need to look at any mail returned as spam. I know exchange admins aren't used to seeing the headers but they are still there :)
0
 
URCSAuthor Commented:
Thank you all for your time and suggestions.  Although none of them was ultimately the solution, I truly appreciate your attention to the question.

It turned out that there were no IP addresses in the headers and none of your other suggestions worked because the problem was caused by a malicious script on the server that was dropping the messages directly into the Queue folder in the VSI 1 folder.  It took 7 hours on the phone with Microsoft, but we finally figured out the problem and resolved it by creating a new VSI 1 folder and all of it's subfolders on a different drive, deleting the old folders, and using ADSIEDIT to point Exchange to the new folder locations.
0
 
URCSAuthor Commented:
Although ultimately there was no header information regarding the machine submitting the messages, that was because it was a malicious script on the server and not because the solution was invalid.  Therefore, since the solution would have worked had the messages been submitted via the "normal" mail process, I have accepted this solution and awarded the points.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now