Solved

SBS 2003 network sending spam

Posted on 2011-09-02
24
358 Views
Last Modified: 2012-05-12
Hi,

i'm taking over from a previous technician who couldn't work it out, spam keeps getting generated form the site, the previous technician changed Default gateway on SBS server to stop server from accessing internet, and stopped smtp service, and this has apparently stopped the site spamming, i need help in where i should start, the server has a number of windows updates that need installing, Trend Micro WFBS advanced 6, is up to date and in grace period, i can see the exchange setting have played to try stop spam. should i first troulbeshoot a virus on network computers and server, need to install updates before contirnuing, or what im thinking is start looking at exhcahnge setup to see if it is being attacked. i may be going ove the same work as previous technican.

any help would be much appricated
0
Comment
Question by:BOS-TECH
  • 11
  • 10
  • 3
24 Comments
 
LVL 10

Expert Comment

by:PlusIT
ID: 36472859
This is what i would do:

Check on the firewall for excessive tcp/25 SMTP traffic coming from inbound hosts.
If you use exchange: only allow outside tcp/25 for the server
Check if you are on a blacklist: http://www.mxtoolbox.com/blacklists.aspx
Check your exchange queue to see if you are under an NDR attack: http://support.microsoft.com/kb/886208

Perform a online virusscan on the server with: housecall.trendmicro.com

then report back here :)  Good luck!
0
 

Author Comment

by:BOS-TECH
ID: 36472947
thank you for your commnets

the ISP has stopped internet access twice, spam stopped when the DG on server was given incorrect ip to stop server from accessing internet and stoppped smtp service, does this mean the SBS server was sending outbound spam, allowing server on port 25 will not work, domain name is not blacklisted which surpirsed me, maybe ISP stopped before had a chance to,  to check exhange queue i will need to allow SBS server stmp / internent access worried ISP will stop internet acces, based on my commnets is there any other advice you can give, i appricate you help.
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36472955
you prolyl have a smart host configured on exchange (ie. all mail is send to the isp smtp server which handles it further)  This can be the reason why you are not blacklisted.

Have you checked yoru exchange queue for those NDR attacks?
0
 

Author Comment

by:BOS-TECH
ID: 36472990
no, i will do AV scan on serer first, i looked at smarthost and there isn't one, i usally leave setting at its default to use DNS thinking the dns service is configure with forwarders to ISP, i know a tech who always sets up a smarthost to help with spam do you why this is.
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36473027
where di you check smarthost on the smtp service or the connector?  In 2003 there's two places you can configure it.
Please check the exchange mailqueue it takes only 10 seconds and you will instantly see if you are under ndr attack or not.
The other tech prolly uses a smarthost which does outbound mail scanning also (so the spam is stopped at that level), but it will still generate unnes load on the mailserver.
A good configured mail server that is virus free will not start sending spam out.
0
 

Author Comment

by:BOS-TECH
ID: 36473070
i will be onsite in the next couple of hours i wante to prepare a plan of steps to take, i did check both smtp connectors, no smart host, the tech uses the isp address e.g. smtp.xtra.co.nz i guess all isp's will have outbound main scanning on there smtp servers, am i wrong in thinking the use dns setting, with dns configured wiht isp ip addresses set as forwarders, email will be sent to same isp smtp servers
0
 

Author Comment

by:BOS-TECH
ID: 36473096
sorry i actually missed an important point, the previous tech, ended up setting all 10 workstations to use isp pop account setup in outlook, teh server was using pop3 connector for mail retrivel, and still the SBS server was sending spam, i'm finding it difficult to work out the troubleshooing methods of previoius tech, i
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36473097
no it wont

lets says you use DNS for mail delivery and one of your users sends a mail to user@domain.Com
the exchange server will then do a DNS query of type MX (mail exchanger) for the domain domain.com
lets say dns returns mx with pref 10 is mx1.domain.com and mx with pref 20 is mx2.domain.com
then the exchange server will first contact mx1.domain.com on port 25 to deliver the mail (and not the smtp server if the servers ip) if that one fails it will try mx2 and if that one fails it will queue it local and retry the steps i put here.
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36473111
is port 25 open from the outside to the server that's the first thing to check, then if that is not the case you probably have a virus (or trojan) running on the server itself.
0
 

Author Comment

by:BOS-TECH
ID: 36473163
it may be, as mentioned to stop spam the previous tech setup pop3 accounts on all outlook clients, to stop email being trieved thourhg pop3 connector on server, still getting spam then changed DG on server to stop server internet access and stopped smtp service, do you think the steps taken by tech are resonable, i appricate help it makes things clearer,
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36473182
no setting up pop3 accounts to stop spam should only be used as a temporary workaround.  Like i stated before an exchange server setup the correct way which is virus free should never ever be sending spam out.

The previous tech should have found the problem or origin of the spam and rooted it out.  Guess that is your task now :)
0
 

Author Comment

by:BOS-TECH
ID: 36473255
thanks for your help, i'll let you know how i get on
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 39

Expert Comment

by:footech
ID: 36474107
Just wanted to add something.  Are you sure it's the SBS sending out spam or could it be one of the workstations?  Does your firewall allow outbound SMTP traffic only from the SBS IP or from any IP?  Did changing the default gateway on the SBS stop internet traffic on the workstations too (in other words, does all internet traffic flow through the SBS)?

Maybe I'm missing something, but I don't see how configuring the Outlook clients to use POP3 would make any difference.  POP3 is only for receiving messages, not sending them out (that is always SMTP).  If the Outlook clients are configured to send and receive email through another server, they can still be sending spam.  And if a workstation is infected, it doesn't have to be using Outlook (or any other email client).
0
 
LVL 10

Accepted Solution

by:
PlusIT earned 400 total points
ID: 36474177
what footech said but i pointed out he should check firewall logs for outbound smtp traffic on his lan.

I've seen one case t oconfigure pop3 downloading in stead of smtp delivery to stop the ndr attack (as you can close smtp port) as a temp workaround.  My english is not the best so maybe i said it wrong.
0
 
LVL 39

Assisted Solution

by:footech
footech earned 100 total points
ID: 36474349
@ PlusIT  - Sorry, I misunderstood.  I interpreted your post to say he should check for inbound SMTP.

Another thing you can do to check if it's your Exchange that is sending the spam is to check the Message Tracking Center in ESM.  This could give you further information about its source.
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36474360
indeed asked two time to check queues as they could be filled up with "the postmaster mails" ie. ndr attack
0
 

Author Comment

by:BOS-TECH
ID: 36474386
the outlook clients using pop3/smtp settings from isp are online internet email ok, the spam stops when the smtp service is stopped on the sbs box, previoius tech also changed DG to stop server from accessing internet, my question is the site starts spamming as soon as either smtp servcie is started on server and DG correct and sever has internet access, would this be the server,    
0
 

Author Comment

by:BOS-TECH
ID: 36474405
also not smtp delivery, the server was using pop3 connector this was stopped and he changed to pop3 outlook clients,
0
 
LVL 39

Expert Comment

by:footech
ID: 36474444
So if you set the default gateway correctly, but leave the SMTP service disabled, is there any spam?
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36474490
please check the email queues when smtp service is running..
http://www.msexchange.org/tutorials/Queue_Viewer_Improvements_in_Exchange_2003.html
0
 

Author Comment

by:BOS-TECH
ID: 36474510
Thanks Guys, i'll let you know how i get on
0
 

Author Comment

by:BOS-TECH
ID: 36481252
i ran trendmicro online scan and malwarebytes, all clean, started smtp service and checked queue, cannot see anything, checked logging on their netgear router, the only traffic from server is over port 80, i will contact ISP to check no spam is being generated, as mentioned exchange was using the pop3 connector the previous tech has config all outlook clients to directory directory retrieve pop3 email, i could still see pop3 connector in-use, no pop3 rule on netgear router allowing incoming pop3 to server, i think next step would be to get email running through server, could it be just one of those pop3 accounts causing it,
0
 
LVL 10

Expert Comment

by:PlusIT
ID: 36483511
the next step i should take is close outbound smtp/25 for eveything but the server and see if there's still spam being generated.  Like footech said it could be a workstation with a virus.
0
 

Author Closing Comment

by:BOS-TECH
ID: 36946764
The network was in a mess, a server is going in.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now