?
Solved

possible infected spam server? trying to track down what is sending out spam

Posted on 2011-03-10
5
Medium Priority
?
778 Views
Last Modified: 2013-11-30
I am running exchange 2003 sp2 and have barracuda spam filter filtering inbound and outbound.

pop3
imap
rpc/http is enabled

i have a situation where spam is being sent by my servers. The ip  in the headers are from a foregin country. They are somehow connecting to my email server and sending out spam.

could it be possible that one of my pop/imap users is infected with a virus and authenticating and then seding out spam?

how can i find the offending users.

I turned up loggin on pop3 and imap but do not see the offending ip anywhere.

need help in tracking down the offending user. or can it be my server has a security hole?

i am blocking the spam going outbound from the spam filter but need to get to the bottom
why its sending out.

Thanks in advance


X-ASG-Debug-ID: 1299760893-00f14f5fb10f8d0001-bDo3tZ
X-Barracuda-Envelope-From: dtglvl@tvdirectsat.tv
Received: from User ([207.194.87.105]) by server1.com with Microsoft SMTPSVC(6.0.3790.3959);
       Thu, 10 Mar 2011 07:41:33 -0500
Reply-To: dtglvl@tvdirectsat.tv
X-Barracuda-Apparent-Source-IP: 207.194.87.105
X-Barracuda-BBL-IP: 207.194.87.105
X-Barracuda-RBL-IP: 207.194.87.105
From: Online TV Software<dtglvl@tvdirectsat.tv>
Subject: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone
Date: Thu, 10 Mar 2011 14:41:27 +0200
X-ASG-Orig-Subj: Watch 9000 World Wide TV Channels on your Computer, TV or SmartPhone


0
Comment
Question by:mrbrain646
  • 3
  • 2
5 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 35095096
You are more than likely an authenticated relay and thus this will be bypassing your Barracuda device as it is being allowed through because of authentication.

Please have a read of my article for details of what to do:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
LVL 4

Author Comment

by:mrbrain646
ID: 35097241
so far so good, i think i found the user account. I will give it a day and see if its the one.

Do you normally turn off logging after? isnt this something that should be on all the time to send to a log server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35097317
Yes - once all has died down - return the logging back to normal otherwise your logs will fill up with not very useful info.

You can have it on all the time if you like, but you may then miss useful log info as they drop off the end of the logs so I would turn it off and only turn it on again if you need to.

You might want to have a read of my two blog entries for some more useful info:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 
LVL 4

Author Closing Comment

by:mrbrain646
ID: 35108655
Thanks for  you expertise.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35108668
You are welcome - glad I was able to help and sort your problem out.

Thanks for the points.

Alan
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month14 days, 2 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question