?
Solved

is there anyway of isolating where a spam bot is coming from

Posted on 2011-03-21
15
Medium Priority
?
559 Views
Last Modified: 2012-05-11
hi,

my exchange server is sending alot of spam and i want to find out if the spam is coming from a machine on my network?

i have locked down my router so mail can only be sent from the exchange server, so i suspect its a machine on the network

thanks
0
Comment
Question by:jonathanduane2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180062
0
 

Author Comment

by:jonathanduane2010
ID: 35180205
i have tried that, and didnt find any events 1708 in my eventvwr
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180214
Okay - that's good.

So you probably do have a machine on your network spewing it's spam via the Exchange server or if you have remote clients using RPC over HTTPS, one of those might be infected.

Who are the senders of the spam?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jonathanduane2010
ID: 35180241
thanks a million for getting back, even though i have turned off relay and locked down the firewall its coming from, i have also setup sender filtering and blocked the below address

@yahoo.com.tw and postmaster@mydomain.com even though i cant find a postmaster account
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180258
Postmaster would suggest you are not Recipient Filtering.

Do you have external users sending mail via SMTP to your server?
0
 

Author Comment

by:jonathanduane2010
ID: 35180355
i definitely have recipient filtering enabled, no smtp can only send from my exchage server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180375
Okay - with Recipient Filtering Enabled - what are the Postmaster Messages going out?  Are they NDR messages?  Do you receive your mail via a 3rd party spam filtering service first?

With the SMTP not being received from users - please disable the Basic & Integrated Windows Authentication from your SMTP Virtual Server and then restart the Simple Mail Transfer Protocol Service.

That should reduce the possibilities of an external entity sending you spam via an authenticated relay.

Please also download aqadmcli and zap the queues of spam and then monitor:

http://community.spiceworks.com/how_to/show/267
0
 

Author Comment

by:jonathanduane2010
ID: 35180427
also i have noticed the queue keep buildin even though the last message that tried to get trough was 9.50 am this morning nearly 4 hours ago
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180462
How do you know the last message that tried to get through was at 09:50 hrs?
0
 

Author Comment

by:jonathanduane2010
ID: 35181013
i checked the queues and sorted it by time
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 35181134
Okay - so assuming you last saw the messages coming in at 09:50 - you won't necessarily see any event log errors if the spammer has stopped spamming you.  But - if they come back again - you will have problems.

I would disable Basic & Integrated Windows Authentication on the SMTP Virtual Server and then they won't be able to come back and flood you with spam.

My blog explains this some more:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:jonathanduane2010
ID: 35184588
hey Alan i ma gona accept your solution i found all your solutions worked, i just had to clear all the messages from the Queue folder, there was 200k of them!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184600
Yikes - 200k is quite a few!

Aqadmcli.exe should eat them up very quickly though : )

Thanks for the points.

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35184612
I actually found it was taking very long so I restarted machine and booted into safe mode then deleted *.eml from command prompt!

Thanks again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184617
Good to know - thanks for the update.

Well done.

Alan
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question