Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

is there anyway of isolating where a spam bot is coming from

Posted on 2011-03-21
15
Medium Priority
?
563 Views
Last Modified: 2012-05-11
hi,

my exchange server is sending alot of spam and i want to find out if the spam is coming from a machine on my network?

i have locked down my router so mail can only be sent from the exchange server, so i suspect its a machine on the network

thanks
0
Comment
Question by:jonathanduane2010
  • 8
  • 7
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180062
0
 

Author Comment

by:jonathanduane2010
ID: 35180205
i have tried that, and didnt find any events 1708 in my eventvwr
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180214
Okay - that's good.

So you probably do have a machine on your network spewing it's spam via the Exchange server or if you have remote clients using RPC over HTTPS, one of those might be infected.

Who are the senders of the spam?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:jonathanduane2010
ID: 35180241
thanks a million for getting back, even though i have turned off relay and locked down the firewall its coming from, i have also setup sender filtering and blocked the below address

@yahoo.com.tw and postmaster@mydomain.com even though i cant find a postmaster account
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180258
Postmaster would suggest you are not Recipient Filtering.

Do you have external users sending mail via SMTP to your server?
0
 

Author Comment

by:jonathanduane2010
ID: 35180355
i definitely have recipient filtering enabled, no smtp can only send from my exchage server?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180375
Okay - with Recipient Filtering Enabled - what are the Postmaster Messages going out?  Are they NDR messages?  Do you receive your mail via a 3rd party spam filtering service first?

With the SMTP not being received from users - please disable the Basic & Integrated Windows Authentication from your SMTP Virtual Server and then restart the Simple Mail Transfer Protocol Service.

That should reduce the possibilities of an external entity sending you spam via an authenticated relay.

Please also download aqadmcli and zap the queues of spam and then monitor:

http://community.spiceworks.com/how_to/show/267
0
 

Author Comment

by:jonathanduane2010
ID: 35180427
also i have noticed the queue keep buildin even though the last message that tried to get trough was 9.50 am this morning nearly 4 hours ago
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35180462
How do you know the last message that tried to get through was at 09:50 hrs?
0
 

Author Comment

by:jonathanduane2010
ID: 35181013
i checked the queues and sorted it by time
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 35181134
Okay - so assuming you last saw the messages coming in at 09:50 - you won't necessarily see any event log errors if the spammer has stopped spamming you.  But - if they come back again - you will have problems.

I would disable Basic & Integrated Windows Authentication on the SMTP Virtual Server and then they won't be able to come back and flood you with spam.

My blog explains this some more:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/
0
 

Author Comment

by:jonathanduane2010
ID: 35184588
hey Alan i ma gona accept your solution i found all your solutions worked, i just had to clear all the messages from the Queue folder, there was 200k of them!!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184600
Yikes - 200k is quite a few!

Aqadmcli.exe should eat them up very quickly though : )

Thanks for the points.

Alan
0
 

Author Comment

by:jonathanduane2010
ID: 35184612
I actually found it was taking very long so I restarted machine and booted into safe mode then deleted *.eml from command prompt!

Thanks again
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35184617
Good to know - thanks for the update.

Well done.

Alan
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question