SBS 2003 network sending spam


i'm taking over from a previous technician who couldn't work it out, spam keeps getting generated form the site, the previous technician changed Default gateway on SBS server to stop server from accessing internet, and stopped smtp service, and this has apparently stopped the site spamming, i need help in where i should start, the server has a number of windows updates that need installing, Trend Micro WFBS advanced 6, is up to date and in grace period, i can see the exchange setting have played to try stop spam. should i first troulbeshoot a virus on network computers and server, need to install updates before contirnuing, or what im thinking is start looking at exhcahnge setup to see if it is being attacked. i may be going ove the same work as previous technican.

any help would be much appricated
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is what i would do:

Check on the firewall for excessive tcp/25 SMTP traffic coming from inbound hosts.
If you use exchange: only allow outside tcp/25 for the server
Check if you are on a blacklist:
Check your exchange queue to see if you are under an NDR attack:

Perform a online virusscan on the server with:

then report back here :)  Good luck!
BOS-TECHAuthor Commented:
thank you for your commnets

the ISP has stopped internet access twice, spam stopped when the DG on server was given incorrect ip to stop server from accessing internet and stoppped smtp service, does this mean the SBS server was sending outbound spam, allowing server on port 25 will not work, domain name is not blacklisted which surpirsed me, maybe ISP stopped before had a chance to,  to check exhange queue i will need to allow SBS server stmp / internent access worried ISP will stop internet acces, based on my commnets is there any other advice you can give, i appricate you help.
you prolyl have a smart host configured on exchange (ie. all mail is send to the isp smtp server which handles it further)  This can be the reason why you are not blacklisted.

Have you checked yoru exchange queue for those NDR attacks?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BOS-TECHAuthor Commented:
no, i will do AV scan on serer first, i looked at smarthost and there isn't one, i usally leave setting at its default to use DNS thinking the dns service is configure with forwarders to ISP, i know a tech who always sets up a smarthost to help with spam do you why this is.
where di you check smarthost on the smtp service or the connector?  In 2003 there's two places you can configure it.
Please check the exchange mailqueue it takes only 10 seconds and you will instantly see if you are under ndr attack or not.
The other tech prolly uses a smarthost which does outbound mail scanning also (so the spam is stopped at that level), but it will still generate unnes load on the mailserver.
A good configured mail server that is virus free will not start sending spam out.
BOS-TECHAuthor Commented:
i will be onsite in the next couple of hours i wante to prepare a plan of steps to take, i did check both smtp connectors, no smart host, the tech uses the isp address e.g. i guess all isp's will have outbound main scanning on there smtp servers, am i wrong in thinking the use dns setting, with dns configured wiht isp ip addresses set as forwarders, email will be sent to same isp smtp servers
BOS-TECHAuthor Commented:
sorry i actually missed an important point, the previous tech, ended up setting all 10 workstations to use isp pop account setup in outlook, teh server was using pop3 connector for mail retrivel, and still the SBS server was sending spam, i'm finding it difficult to work out the troubleshooing methods of previoius tech, i
no it wont

lets says you use DNS for mail delivery and one of your users sends a mail to user@domain.Com
the exchange server will then do a DNS query of type MX (mail exchanger) for the domain
lets say dns returns mx with pref 10 is and mx with pref 20 is
then the exchange server will first contact on port 25 to deliver the mail (and not the smtp server if the servers ip) if that one fails it will try mx2 and if that one fails it will queue it local and retry the steps i put here.
is port 25 open from the outside to the server that's the first thing to check, then if that is not the case you probably have a virus (or trojan) running on the server itself.
BOS-TECHAuthor Commented:
it may be, as mentioned to stop spam the previous tech setup pop3 accounts on all outlook clients, to stop email being trieved thourhg pop3 connector on server, still getting spam then changed DG on server to stop server internet access and stopped smtp service, do you think the steps taken by tech are resonable, i appricate help it makes things clearer,
no setting up pop3 accounts to stop spam should only be used as a temporary workaround.  Like i stated before an exchange server setup the correct way which is virus free should never ever be sending spam out.

The previous tech should have found the problem or origin of the spam and rooted it out.  Guess that is your task now :)
BOS-TECHAuthor Commented:
thanks for your help, i'll let you know how i get on
Just wanted to add something.  Are you sure it's the SBS sending out spam or could it be one of the workstations?  Does your firewall allow outbound SMTP traffic only from the SBS IP or from any IP?  Did changing the default gateway on the SBS stop internet traffic on the workstations too (in other words, does all internet traffic flow through the SBS)?

Maybe I'm missing something, but I don't see how configuring the Outlook clients to use POP3 would make any difference.  POP3 is only for receiving messages, not sending them out (that is always SMTP).  If the Outlook clients are configured to send and receive email through another server, they can still be sending spam.  And if a workstation is infected, it doesn't have to be using Outlook (or any other email client).
what footech said but i pointed out he should check firewall logs for outbound smtp traffic on his lan.

I've seen one case t oconfigure pop3 downloading in stead of smtp delivery to stop the ndr attack (as you can close smtp port) as a temp workaround.  My english is not the best so maybe i said it wrong.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
@ PlusIT  - Sorry, I misunderstood.  I interpreted your post to say he should check for inbound SMTP.

Another thing you can do to check if it's your Exchange that is sending the spam is to check the Message Tracking Center in ESM.  This could give you further information about its source.
indeed asked two time to check queues as they could be filled up with "the postmaster mails" ie. ndr attack
BOS-TECHAuthor Commented:
the outlook clients using pop3/smtp settings from isp are online internet email ok, the spam stops when the smtp service is stopped on the sbs box, previoius tech also changed DG to stop server from accessing internet, my question is the site starts spamming as soon as either smtp servcie is started on server and DG correct and sever has internet access, would this be the server,    
BOS-TECHAuthor Commented:
also not smtp delivery, the server was using pop3 connector this was stopped and he changed to pop3 outlook clients,
So if you set the default gateway correctly, but leave the SMTP service disabled, is there any spam?
please check the email queues when smtp service is running..
BOS-TECHAuthor Commented:
Thanks Guys, i'll let you know how i get on
BOS-TECHAuthor Commented:
i ran trendmicro online scan and malwarebytes, all clean, started smtp service and checked queue, cannot see anything, checked logging on their netgear router, the only traffic from server is over port 80, i will contact ISP to check no spam is being generated, as mentioned exchange was using the pop3 connector the previous tech has config all outlook clients to directory directory retrieve pop3 email, i could still see pop3 connector in-use, no pop3 rule on netgear router allowing incoming pop3 to server, i think next step would be to get email running through server, could it be just one of those pop3 accounts causing it,
the next step i should take is close outbound smtp/25 for eveything but the server and see if there's still spam being generated.  Like footech said it could be a workstation with a virus.
BOS-TECHAuthor Commented:
The network was in a mess, a server is going in.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.