Putting an end to spam on my network

Posted on 2011-10-11
Last Modified: 2012-06-27
I am administrating an exchange server that is having problems.  There is a ton of spam that seems to be originating from one users computer.  We have scanned and cleared his computer of an infection, however, I do not think this is the source of the problem.  

I have checked the email headers, and traced it back to some sources:
inetnum: -        MX80L54-REALdescr:          inteleca
DHCP real pool L54country:        RUadmin-c:        VIK-RIPEtech-c:         VIK-RIPEstatus:         ASSIGNED PAmnt-by:         INTELECA-MNTmnt-lower:      INTELECA-MNTmnt-routes:     INTELECA-MNTsource:         RIPE #Filtered

UpdateDelete person:         Vitaliy E. Kretininaddress:        Russia, Barnaule-mail:         V.Kretinin@inteleca.orgphone:          +7(385)2-399502nic-hdl:        VIK-RIPEmnt-by:         INTELECA-MNTsource:         RIPE #Filtered

route:          inteleca networkdescr:          Russia, Barnaulorigin:         AS21365mnt-by:         INTELECA-MNTsource:         RIPE #Filtered
inetnum: -
netname:        VNPT-NET
country:        vn
descr:          IP ADSL static + Cable TV, VoIP VPN
descr:          MPLS Leased Line, Data Center , MANE Ha Noi
admin-c:        VIG1-AP
tech-c:         VIG1-AP
changed: 20100728
mnt-by:         MAINT-VN-VNPT
source:         APNIC
descr:          VietNam Post and Telecom Corporation (VNPT)
descr:          VNPT-AS-AP
country:        VN
origin:         AS45899
remarks:        mailto:
mnt-by:         MAINT-VN-VNPT
changed: 20100810
source:         APNIC
role:         VDC IPADMIN GROUP
address:      Internet Building, Block II, Thang Long Inter Village
address:      Nguyen Phong Sac str, Cau Giay Dist,  Ha Noi
country:      VN
phone:        +84-912-800008
fax-no:       +84-4-9430427
trouble:      send spam reports to
trouble:      and abuse reports to
admin-c:      THMH1-AP
tech-c:       THMH1-AP
nic-hdl:      VIG1-AP
mnt-by:       MAINT-VN-VNPT
changed: 20090325
source:       APNIC

route:          inteleca-hnet-nskorigin:         AS21365mnt-by:         INTELECA-MNTsource:         RIPE #Filtered

There's about 30+ of these a day to appear like they're coming from one user on the internal exchange 2010 server.
They're from a ton of different sources.

My config at this location:
Exchange 2010
Server 2008 R2
GFI Essentials (not up to date yet, applying patch later today)
Most windows updates are complete
AVG Mail Server edition 2011 is installed and up to date (we have a licence for 2012, I have to install this)

I'm unsure as to what to do at this point.  What sort of email spam is this? (it's usually about foreign brides, or viagra, etc.).  Spoofing?
Question by:mgedlaman

    Author Comment

    I have a feeling that if I start emailing the server admins, I will end up generating more spam...that, and there's a ton of ip addresses this email is coming from

    Author Comment

    Also, how do I prevent our server from becoming "infected" and start spamming out other companies?

    Author Comment

    I noticed his password is also pretty weak (4 numbers followed by 4 letters, all lower cased, no symbols).  Could this also be the source of the problem?

    Author Comment

    one suggestion was SPF, I'm looking for a manual now to see if it's already setup (perhaps incorrectly), or not.
    LVL 37

    Expert Comment

    Firstly have you checked for your server being an open relay?
    Do exchange logs show the email originating internally?
    Can you verify the above?

    Author Comment

    I have confirmed with a web service that it is not a relay open to the rest of the internet.

    Yes, the exchange logs show it coming from his email address, however the client IP and hostname do not match his computer information.
    I tracked the IP address to Poland...and his computer is here in Canada...

    Author Comment

    Thank you for responding.  In the meantime, I have spoken to GFI support and setup their SPF record support as it was not turned on.  Also, I noticed that all internal email addresses were whitelisted.
    LVL 13

    Expert Comment

    For startes, I would change that users password. Their account may have been comprosmised and spam senders would be able to send email through your server as if they were that user.........
    what does smtp diagnostics return?

    Author Comment

    Thank you, I will do.

     OK - resolves to
     Warning - Reverse DNS does not match SMTP Banner
     0 seconds - Good on Connection time
     Not an open relay.
     5.445 seconds - Warning on Transaction time
    LVL 37

    Accepted Solution

    It sounds very much as if this is just plain and simple spoofed spam email. It does not originate on your network and you will do little more than the SPF record to stop it. Changing the users password will almost certainly make NO difference at all. The spam is NOT really from your users account.
    LVL 32

    Expert Comment

    I second Neilsr.  Spoofed email is hard to kill unless you use enforce SPF lookups.  Then, you can set GFI or any other mail filter to _only_ receive mail from your domain if it is sent from a valid IP address or FQDN listed in your DNS TXT record for SPF.

    This, of course, means that other messages using your domain will be booted.  This could be from home users, remote admin services, firewall devices, web page referrals where you type your address as the 'from', e-commerce servers not explicitly listed in your DNS.

    GFI does whitelist your existing users by default.  I suspended RBL filtering for a couple of days, and I've been deluged by spam from myself...looking for love in all the wrong places.

    RBLs are one way to block SMTP traffic before message delivery, but they can block people from whom you _do_ want mail, but happened to be blacklisted for a temporary virus, or collateral damage when larger subnets are listed.  When you reject the traffic before SMTP, there is no "spam box" into which you can search for missing messages.  They just don't show up, and your users (and customers/vendors) won't know why.

    Author Comment

    So, what you two are saying is that, I can setup the SPF which should help some, but if I set the settings too high, then I will end up screwing myself?

    What about contacting the administrators that are looking after the systems that are sending the spam?  Are they looking after compromised systems?, or, are they the ones that are responsible?
    LVL 32

    Assisted Solution

    >What about contacting the administrators that are looking after the systems that are sending the spam?

    In foreign countries, especially schools, it's useless.  The language barrier is huge.  At schools, the inmates are running the asylum.

    I don't know how much spam you get, but our average is 60-85% spam to non-spam, depending on the day and the hour.  I used to contact primary ISPs, upstream ISPs and research for the admin of the subnet or actual mail server.  Consumed far too many hours of the day, and did not reduce the spam.  For every 1 admin you actually reach, there are dozens more bots and home users and temporary virus infections that are out of anyone's direct control.

    Better to spend that time on fine-tuning the filtering and archiving functions so that you still retain copies of mail that are filtered, and have a means of user retrieval.  Then, you can turn up the filtering on the server.

    > if I set the settings too high, then I will end up screwing myself?

    Temporarily.  Murphy's Law of SMTP, I guess.  You never know what or whom you've authorized to use your email address, until you make that blanket _deny_.  Then you start wondering where your firewall alerts disappeared to.  You can't catch everything.

    Author Closing Comment

    Thank you Neilsr for sticking in with me, and thank you goes to Aleghart for finishing up in the end.

    Good advice gentlemen :)

    Sorry for taking my sweet time to get back to you.  With the password change, and turning on the GFI SPF, life is good now :)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
    In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now