Putting an end to spam on my network

I am administrating an exchange server that is having problems.  There is a ton of spam that seems to be originating from one users computer.  We have scanned and cleared his computer of an infection, however, I do not think this is the source of the problem.  

I have checked the email headers, and traced it back to some sources:
inetnum: -        MX80L54-REALdescr:          inteleca
DHCP real pool L54country:        RUadmin-c:        VIK-RIPEtech-c:         VIK-RIPEstatus:         ASSIGNED PAmnt-by:         INTELECA-MNTmnt-lower:      INTELECA-MNTmnt-routes:     INTELECA-MNTsource:         RIPE #Filtered

UpdateDelete person:         Vitaliy E. Kretininaddress:        Russia, Barnaule-mail:         V.Kretinin@inteleca.orgphone:          +7(385)2-399502nic-hdl:        VIK-RIPEmnt-by:         INTELECA-MNTsource:         RIPE #Filtered

route:          inteleca networkdescr:          Russia, Barnaulorigin:         AS21365mnt-by:         INTELECA-MNTsource:         RIPE #Filtered
inetnum: -
netname:        VNPT-NET
country:        vn
descr:          IP ADSL static + Cable TV, VoIP VPN
descr:          MPLS Leased Line, Data Center , MANE Ha Noi
admin-c:        VIG1-AP
tech-c:         VIG1-AP
changed:        hm-changed@vnnic.net.vn 20100728
mnt-by:         MAINT-VN-VNPT
source:         APNIC
descr:          VietNam Post and Telecom Corporation (VNPT)
descr:          VNPT-AS-AP
country:        VN
origin:         AS45899
remarks:        mailto: noc@vnn.vn
notify:         hm-changed@vnnic.net.vn
mnt-by:         MAINT-VN-VNPT
changed:        hm-changed@vnnic.net.vn 20100810
source:         APNIC
role:         VDC IPADMIN GROUP
address:      Internet Building, Block II, Thang Long Inter Village
address:      Nguyen Phong Sac str, Cau Giay Dist,  Ha Noi
country:      VN
phone:        +84-912-800008
fax-no:       +84-4-9430427
e-mail:       hathm@vdc.com.vn
trouble:      send spam reports to abuse@vdc.com.vn
trouble:      and abuse reports to abuse@vnn.vn
admin-c:      THMH1-AP
tech-c:       THMH1-AP
nic-hdl:      VIG1-AP
notify:       hm-changed@vnnic.net.vn
mnt-by:       MAINT-VN-VNPT
changed:      hm-changed@vnnic.net.vn 20090325
source:       APNIC

route:          inteleca-hnet-nskorigin:         AS21365mnt-by:         INTELECA-MNTsource:         RIPE #Filtered

There's about 30+ of these a day to appear like they're coming from one user on the internal exchange 2010 server.
They're from a ton of different sources.

My config at this location:
Exchange 2010
Server 2008 R2
GFI Essentials (not up to date yet, applying patch later today)
Most windows updates are complete
AVG Mail Server edition 2011 is installed and up to date (we have a licence for 2012, I have to install this)

I'm unsure as to what to do at this point.  What sort of email spam is this? (it's usually about foreign brides, or viagra, etc.).  Spoofing?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mgedlamanAuthor Commented:
I have a feeling that if I start emailing the server admins, I will end up generating more spam...that, and there's a ton of ip addresses this email is coming from
mgedlamanAuthor Commented:
Also, how do I prevent our server from becoming "infected" and start spamming out other companies?
mgedlamanAuthor Commented:
I noticed his password is also pretty weak (4 numbers followed by 4 letters, all lower cased, no symbols).  Could this also be the source of the problem?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

mgedlamanAuthor Commented:
one suggestion was SPF, I'm looking for a manual now to see if it's already setup (perhaps incorrectly), or not.
Neil RussellTechnical Development LeadCommented:
Firstly have you checked for your server being an open relay?
Do exchange logs show the email originating internally?
Can you verify the above?
mgedlamanAuthor Commented:
I have confirmed with a web service that it is not a relay open to the rest of the internet.

Yes, the exchange logs show it coming from his email address, however the client IP and hostname do not match his computer information.
I tracked the IP address to Poland...and his computer is here in Canada...
mgedlamanAuthor Commented:
Thank you for responding.  In the meantime, I have spoken to GFI support and setup their SPF record support as it was not turned on.  Also, I noticed that all internal email addresses were whitelisted.
For startes, I would change that users password. Their account may have been comprosmised and spam senders would be able to send email through your server as if they were that user.........
what does mxtoolbox.com smtp diagnostics return?
mgedlamanAuthor Commented:
Thank you, I will do.

 OK - 204.191.xxx.xx resolves to mail.xxx.ca
 Warning - Reverse DNS does not match SMTP Banner
 0 seconds - Good on Connection time
 Not an open relay.
 5.445 seconds - Warning on Transaction time
Neil RussellTechnical Development LeadCommented:
It sounds very much as if this is just plain and simple spoofed spam email. It does not originate on your network and you will do little more than the SPF record to stop it. Changing the users password will almost certainly make NO difference at all. The spam is NOT really from your users account.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I second Neilsr.  Spoofed email is hard to kill unless you use enforce SPF lookups.  Then, you can set GFI or any other mail filter to _only_ receive mail from your domain if it is sent from a valid IP address or FQDN listed in your DNS TXT record for SPF.

This, of course, means that other messages using your domain will be booted.  This could be from home users, remote admin services, firewall devices, web page referrals where you type your address as the 'from', e-commerce servers not explicitly listed in your DNS.

GFI does whitelist your existing users by default.  I suspended RBL filtering for a couple of days, and I've been deluged by spam from myself...looking for love in all the wrong places.

RBLs are one way to block SMTP traffic before message delivery, but they can block people from whom you _do_ want mail, but happened to be blacklisted for a temporary virus, or collateral damage when larger subnets are listed.  When you reject the traffic before SMTP, there is no "spam box" into which you can search for missing messages.  They just don't show up, and your users (and customers/vendors) won't know why.
mgedlamanAuthor Commented:
So, what you two are saying is that, I can setup the SPF which should help some, but if I set the settings too high, then I will end up screwing myself?

What about contacting the administrators that are looking after the systems that are sending the spam?  Are they looking after compromised systems?, or, are they the ones that are responsible?
>What about contacting the administrators that are looking after the systems that are sending the spam?

In foreign countries, especially schools, it's useless.  The language barrier is huge.  At schools, the inmates are running the asylum.

I don't know how much spam you get, but our average is 60-85% spam to non-spam, depending on the day and the hour.  I used to contact primary ISPs, upstream ISPs and research for the admin of the subnet or actual mail server.  Consumed far too many hours of the day, and did not reduce the spam.  For every 1 admin you actually reach, there are dozens more bots and home users and temporary virus infections that are out of anyone's direct control.

Better to spend that time on fine-tuning the filtering and archiving functions so that you still retain copies of mail that are filtered, and have a means of user retrieval.  Then, you can turn up the filtering on the server.

> if I set the settings too high, then I will end up screwing myself?

Temporarily.  Murphy's Law of SMTP, I guess.  You never know what or whom you've authorized to use your email address, until you make that blanket _deny_.  Then you start wondering where your firewall alerts disappeared to.  You can't catch everything.
mgedlamanAuthor Commented:
Thank you Neilsr for sticking in with me, and thank you goes to Aleghart for finishing up in the end.

Good advice gentlemen :)

Sorry for taking my sweet time to get back to you.  With the password change, and turning on the GFI SPF, life is good now :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.