Solved

is there anyway of isolating where a spam bot is coming from

Posted on 2011-03-21
15
541 Views
Last Modified: 2012-05-11
hi,

my exchange server is sending alot of spam and i want to find out if the spam is coming from a machine on my network?

i have locked down my router so mail can only be sent from the exchange server, so i suspect its a machine on the network

thanks
0
Comment
Question by:jonathanduane2010
  • 8
  • 7
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180062
0
 

Author Comment

by:jonathanduane2010
ID: 35180205
i have tried that, and didnt find any events 1708 in my eventvwr
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180214
Okay - that's good.

So you probably do have a machine on your network spewing it's spam via the Exchange server or if you have remote clients using RPC over HTTPS, one of those might be infected.

Who are the senders of the spam?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:jonathanduane2010
ID: 35180241
thanks a million for getting back, even though i have turned off relay and locked down the firewall its coming from, i have also setup sender filtering and blocked the below address

@yahoo.com.tw and postmaster@mydomain.com even though i cant find a postmaster account
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180258
Postmaster would suggest you are not Recipient Filtering.

Do you have external users sending mail via SMTP to your server?
0
 

Author Comment

by:jonathanduane2010
ID: 35180355
i definitely have recipient filtering enabled, no smtp can only send from my exchage server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180375
Okay - with Recipient Filtering Enabled - what are the Postmaster Messages going out?  Are they NDR messages?  Do you receive your mail via a 3rd party spam filtering service first?

With the SMTP not being received from users - please disable the Basic & Integrated Windows Authentication from your SMTP Virtual Server and then restart the Simple Mail Transfer Protocol Service.

That should reduce the possibilities of an external entity sending you spam via an authenticated relay.

Please also download aqadmcli and zap the queues of spam and then monitor:

http://community.spiceworks.com/how_to/show/267
0
 

Author Comment

by:jonathanduane2010
ID: 35180427
also i have noticed the queue keep buildin even though the last message that tried to get trough was 9.50 am this morning nearly 4 hours ago
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180462
How do you know the last message that tried to get through was at 09:50 hrs?
0
 

Author Comment

by:jonathanduane2010
ID: 35181013
i checked the queues and sorted it by time
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 35181134
Okay - so assuming you last saw the messages coming in at 09:50 - you won't necessarily see any event log errors if the spammer has stopped spamming you.  But - if they come back again - you will have problems.

I would disable Basic & Integrated Windows Authentication on the SMTP Virtual Server and then they won't be able to come back and flood you with spam.

My blog explains this some more:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:jonathanduane2010
ID: 35184588
hey Alan i ma gona accept your solution i found all your solutions worked, i just had to clear all the messages from the Queue folder, there was 200k of them!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184600
Yikes - 200k is quite a few!

Aqadmcli.exe should eat them up very quickly though : )

Thanks for the points.

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35184612
I actually found it was taking very long so I restarted machine and booted into safe mode then deleted *.eml from command prompt!

Thanks again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184617
Good to know - thanks for the update.

Well done.

Alan
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question