How to find out where spam is coming from and stop it

Posted on 2011-10-12
Medium Priority
Last Modified: 2012-05-12
There is spam being sent out from our site. This is a large school and i need to figure out how to stop this as soon as possible..
Question by:Itomicltd
  • 11
  • 9

Expert Comment

ID: 36954794
block port 25 on your firewall, both in and out. this will stop your server from sending and receiving more mail and you can delete mail from the queue nice and easy. Deleting will go slow when you have many mails in the queue but will gradually go faster when the queue size decrease


you can also stop SMTP service, then move or delete *.eml files from the SMTP queue directory and finally start SMTP servicve again.

this directory is not just for outbound mail its for every mail even internal ones so be carefull if you just delete them

after cleaning your SMTP queue, you should restart the Smtp service only when you will be sure of your configuration.

The first thing to do will be to verify your SMTP with a site like http://www.pagasa.net/test-smtp-server/

For further troubleshooting you can go through this article



Author Comment

ID: 36955353
I have blocked port 25 but the mails are still queing, how do i find out what pc is spamming

Expert Comment

ID: 36955877
Determine whether an authenticated user is relaying
This section enables logging in the Windows Event Viewer such that any authentication attempts against the SMTP service (successful or failures) are logged in the application log.
1.Start Exchange Administrator.
2.Double-click Servers.
3.Under Servers, right-click ServerName, and then click Properties.
4.Click the Diagnostic Logging tab.
5.Click MSExchangeTransport on the left.
6.On the right, click SMTP Protocol.
7.Under Logging Level, click Maximum.
8.Click OK to close Server Properties.
If a remote user is authenticating against the Small Business Server computer as part of an operation to relay SMTP e-mail, you will see an event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client remote_computername. The authentication method was LOGIN and the username was company\username.

In this case, if the relaying appears to come from a hacked account password, go to the Active Directory Users and Computers snap-in and delete the account, disable the account, or change the password on the account.

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Author Comment

ID: 36955960
I never mentioned, this is Exchange2007. What is the procedure for it?

Expert Comment

ID: 36956233
1.Start Registry Editor.

2.In Registry Editor, locate and then click the following registry key:


MSExchangeTransport\Diagnostics\SMTP Protocol

3.Set the value to 7, and then click OK.


Author Comment

ID: 36957334

by changing this value in REGEDIT what am i achieving....i also don't see smtp protocol in the list

thanks reg

Author Comment

ID: 36957435
Ok I think i get it now... i have made SMTPsend expert at logging... still no signs of where spammer is...
I have setup a bogus smarthost hence the bit but i need to know the IP of the spammer ...See log below for example

Event Type:      Information
Event Source:      MSExchangeTransport
Event Category:      SmtpSend
Event ID:      2007
Date:            10/12/2011
Time:            6:30:58 PM
User:            N/A
Computer:      MAIL07
Send connector Internet Email has initiated a new session to


Expert Comment

ID: 36960411
Its very difficult to find which machine is sending Spam to the external world as Outlook connect to the Mailbox server and mail is sent from Hub transport server so the ip u will see on Hub server will be either mailbox exchange server or remote domain server. I think one of your account has been compromised and is being used for spamming.

Are you using POP or IMAP accounts, i will suggets you to disbale these services and request all those users to change there password.

One last thing we can do is to run this command which will start recording all smtp traffic.  
Get-ReceiveConnector | Set-ReceiveConnector –ProtocolLoggingLevel Verbose

Get-sendConnector | Set-SendConnector –ProtocolLoggingLevel Verbose

ð  Managing Protocol Logging

Receive connector protocol log files:   C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
Send connector protocol log files:   C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpSend

Expert Comment

ID: 36990938
Any update on this

Author Comment

ID: 36992011
I have 3 receive connectors, which one (Client MAIL07, Default MAIL07 and Internal Relay)
I have also enable logginf on the Send connector but am not seeing any logs yet (i have also restarted the transport service).

Author Comment

ID: 36992088
I need to stop the queue from be overloaded and bounce any bmail being sent to the queue....how can i do this ?

Here is the message from the mails in the queue....it's non stop spamming...

Identity: mail07\27\145
Subject: Undeliverable: ¡¹¡¹§A­nªº¦b®a­Ý¾¸ê®Æ(¨C¤ë¼W¥[2~5¸U)¡¹¡¹living with
Internet Message ID: <7709668c-22a6-424f-b420-ea0308e9526b>
From Address: <>
Status: Active
Size (KB): 23
Message Source Name: DSN
Source IP:
SCL: -1
Date Received: 10/19/2011 12:27:49 PM
Expiration Time: 10/21/2011 12:27:49 PM
Last Error:
Queue ID: mail07\27
Recipients:  rnmlznltfq@ms32.hinet.net

Author Comment

ID: 36998970

This is gone on for a number of days and no-one seems to be able to at least offer me a rule or something that says drop all mail send from external email address from inside the organisation (that's the only thing that is common, the mails are send from external address to external address)....there surely has to be someway to stop the mail flowing out first and foremost without effecting mail from domain addresses. I can find the problem after but this is vital i at least drop these mails before they get outside to interntet....



Accepted Solution

sumit_arora earned 2000 total points
ID: 36999064
Ok here is the thing u need to do now

you need to enable recepient filtering, run this command on Hub server
Set-RecipientFilterConfig -Enabled $true

Follow these steps
1.Open the Microsoft Exchange Management Console on the Edge Server.
2.Click on the ‘Edge Transport’ Node.
3. Click on the Anti-spam Tab.
4.Right click on 'Recipient Filtering' and select 'Enable' (If Recipient Filtering is already enabled, you will only have the option to 'Disable' and we can ignore this step)
5.Right click on 'Recipient Filtering' once again and select 'Properties'
6.Under the 'Blocked Recipients' tab, tick the 'Block messages sent to recipients not listed in the Global Address List' option.
7.Click 'Ok' to save changes.
When someone tries to send an email to a user that does not exist in your Active Directory domain, they will receive the error:
550 5.5.1 User unknown


Author Comment

ID: 36999634
Hi Sumit,

Thanks for reply, but i already have this in place (from an article i read online)... mail still building up in queues...

Here are messages


Expert Comment

ID: 37000473
Does this option is enabled: 'Block messages sent to recipients not listed in the Global Address List'

Expert Comment

ID: 37000586
Run the following command:

Add-ContentFilterPhrase -Phrase <String> -Influence <GoodWord | BadWord>
For example, if you want to block the phrase "stock tip," run the following command:

Add-ContentFilterPhrase -Phrase "stock tip" -Influence BadWord

Check the subject of the message u r getting as spam and reject it. I think its "DSN"

When you specify a word or phrase, you must specify whether it is an Allow phrase or a Block phrase. When the Content Filter agent encounters an Allow phrase in a message, the spam confidence level (SCL) is set to 0. When the Content Filter agent encounters a Block phrase in a message, the SCL is set to 9.


Expert Comment

ID: 37000667

Use this article to create a rule to block user that is FROM address"<>" to send an email over the internet

I hope this will help you to achive wht you want too..

Author Comment

ID: 37002306
Got is sorted. Disabled internal relay and allowed anonymous users on default client.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question