Got a spambot in my netwrok
Posted on 2011-05-02
I have Exchange 2003 SP2 behind ISA 2004 and Panda Enterprise as malware protection system. Today, I received an email from a user stating that emails he sent bounced back. When I checked, I found that our IP is blacklisted. A look at the queues of ESM revealed some 25 queue folders. Those were all unknown, non-solicited destinations with one common factor: the email sender and the subject where the same. The email is said to be sent from an international bank group, with which we have no relation whatsoever; I came to understand that my Exchange server is being used as a spambot. However, I am short of understanding whether the spambot resides in Exchange itself, or uses an authentic user PC to send emails through our Exchange server as if it is sent from a user in the network.
I need help with the followings please:
1 – Based on the details above, can someone figure out whether the spambot resides in Exchange server or not?
2 – The rule on ISA that allows Exchange to send messages out is configured for “All users”. If I configure that to “All authenticated users”, Exchange fails to connect to our external DNS servers (set by our ISP) and thus fails to send any positive messages. Is it ok to keep the rule that way?
3 – How can I, after fixing this, stop spam right before it gets out of our network. Currently, only Exchange server can get through port 25. This eliminates the chances for other systems in the network to send spam. However, such in the current case, if Exchange is infected, what software is there to stop spam before it spreads out?