Solved

is there anyway of isolating where a spam bot is coming from

Posted on 2011-03-21
15
514 Views
Last Modified: 2012-05-11
hi,

my exchange server is sending alot of spam and i want to find out if the spam is coming from a machine on my network?

i have locked down my router so mail can only be sent from the exchange server, so i suspect its a machine on the network

thanks
0
Comment
Question by:jonathanduane2010
  • 8
  • 7
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
0
 

Author Comment

by:jonathanduane2010
Comment Utility
i have tried that, and didnt find any events 1708 in my eventvwr
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - that's good.

So you probably do have a machine on your network spewing it's spam via the Exchange server or if you have remote clients using RPC over HTTPS, one of those might be infected.

Who are the senders of the spam?
0
 

Author Comment

by:jonathanduane2010
Comment Utility
thanks a million for getting back, even though i have turned off relay and locked down the firewall its coming from, i have also setup sender filtering and blocked the below address

@yahoo.com.tw and postmaster@mydomain.com even though i cant find a postmaster account
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Postmaster would suggest you are not Recipient Filtering.

Do you have external users sending mail via SMTP to your server?
0
 

Author Comment

by:jonathanduane2010
Comment Utility
i definitely have recipient filtering enabled, no smtp can only send from my exchage server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - with Recipient Filtering Enabled - what are the Postmaster Messages going out?  Are they NDR messages?  Do you receive your mail via a 3rd party spam filtering service first?

With the SMTP not being received from users - please disable the Basic & Integrated Windows Authentication from your SMTP Virtual Server and then restart the Simple Mail Transfer Protocol Service.

That should reduce the possibilities of an external entity sending you spam via an authenticated relay.

Please also download aqadmcli and zap the queues of spam and then monitor:

http://community.spiceworks.com/how_to/show/267
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:jonathanduane2010
Comment Utility
also i have noticed the queue keep buildin even though the last message that tried to get trough was 9.50 am this morning nearly 4 hours ago
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
How do you know the last message that tried to get through was at 09:50 hrs?
0
 

Author Comment

by:jonathanduane2010
Comment Utility
i checked the queues and sorted it by time
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
Comment Utility
Okay - so assuming you last saw the messages coming in at 09:50 - you won't necessarily see any event log errors if the spammer has stopped spamming you.  But - if they come back again - you will have problems.

I would disable Basic & Integrated Windows Authentication on the SMTP Virtual Server and then they won't be able to come back and flood you with spam.

My blog explains this some more:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:jonathanduane2010
Comment Utility
hey Alan i ma gona accept your solution i found all your solutions worked, i just had to clear all the messages from the Queue folder, there was 200k of them!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Yikes - 200k is quite a few!

Aqadmcli.exe should eat them up very quickly though : )

Thanks for the points.

Alan
0
 

Author Comment

by:jonathanduane2010
Comment Utility
I actually found it was taking very long so I restarted machine and booted into safe mode then deleted *.eml from command prompt!

Thanks again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Good to know - thanks for the update.

Well done.

Alan
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now