Solved

is there anyway of isolating where a spam bot is coming from

Posted on 2011-03-21
15
546 Views
Last Modified: 2012-05-11
hi,

my exchange server is sending alot of spam and i want to find out if the spam is coming from a machine on my network?

i have locked down my router so mail can only be sent from the exchange server, so i suspect its a machine on the network

thanks
0
Comment
Question by:jonathanduane2010
  • 8
  • 7
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180062
0
 

Author Comment

by:jonathanduane2010
ID: 35180205
i have tried that, and didnt find any events 1708 in my eventvwr
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180214
Okay - that's good.

So you probably do have a machine on your network spewing it's spam via the Exchange server or if you have remote clients using RPC over HTTPS, one of those might be infected.

Who are the senders of the spam?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jonathanduane2010
ID: 35180241
thanks a million for getting back, even though i have turned off relay and locked down the firewall its coming from, i have also setup sender filtering and blocked the below address

@yahoo.com.tw and postmaster@mydomain.com even though i cant find a postmaster account
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180258
Postmaster would suggest you are not Recipient Filtering.

Do you have external users sending mail via SMTP to your server?
0
 

Author Comment

by:jonathanduane2010
ID: 35180355
i definitely have recipient filtering enabled, no smtp can only send from my exchage server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180375
Okay - with Recipient Filtering Enabled - what are the Postmaster Messages going out?  Are they NDR messages?  Do you receive your mail via a 3rd party spam filtering service first?

With the SMTP not being received from users - please disable the Basic & Integrated Windows Authentication from your SMTP Virtual Server and then restart the Simple Mail Transfer Protocol Service.

That should reduce the possibilities of an external entity sending you spam via an authenticated relay.

Please also download aqadmcli and zap the queues of spam and then monitor:

http://community.spiceworks.com/how_to/show/267
0
 

Author Comment

by:jonathanduane2010
ID: 35180427
also i have noticed the queue keep buildin even though the last message that tried to get trough was 9.50 am this morning nearly 4 hours ago
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180462
How do you know the last message that tried to get through was at 09:50 hrs?
0
 

Author Comment

by:jonathanduane2010
ID: 35181013
i checked the queues and sorted it by time
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 35181134
Okay - so assuming you last saw the messages coming in at 09:50 - you won't necessarily see any event log errors if the spammer has stopped spamming you.  But - if they come back again - you will have problems.

I would disable Basic & Integrated Windows Authentication on the SMTP Virtual Server and then they won't be able to come back and flood you with spam.

My blog explains this some more:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:jonathanduane2010
ID: 35184588
hey Alan i ma gona accept your solution i found all your solutions worked, i just had to clear all the messages from the Queue folder, there was 200k of them!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184600
Yikes - 200k is quite a few!

Aqadmcli.exe should eat them up very quickly though : )

Thanks for the points.

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35184612
I actually found it was taking very long so I restarted machine and booted into safe mode then deleted *.eml from command prompt!

Thanks again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184617
Good to know - thanks for the update.

Well done.

Alan
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question