Find IP of Spammer

Posted on 2011-10-12
Last Modified: 2012-05-12
I have a windows 2003 R2 server with Exchange 2007 installed. There is a machine on our network which is spamming i believe but cannot find it. The Queues are filling up with spam from various addresses. I can't find any info on the machine anywhere. I want to know how to

1. Stop mail from non authenticated user from sending and
2. How to find the machine sending this crap.

I have enabled logging on the SMTP sender so i can see what is sending (but it just says my mail server.) I have asked this question a number of time and keep getting referals to articles which have no relevance to my issue. I simply need to find the best way to stop unauthenticated users sending mails and where this machine is....

Question by:Itomicltd
    LVL 9

    Expert Comment

    in the past I have used wireshark (installed on the server and listening on port 25).
    it works very well and should lead you to the offending machine within a very short time.
    if it is indeed coming from within your LAN, then there really is no way to stop it other than by finding and killing whatever malware is in the infected machine.
    if it is coming from outside, then you are an open relay... and that needs to be closed. I dont have the exact procedure handy, but it is available on the Microsoft website.
    LVL 6

    Expert Comment

    If it is inside your network, you could stop it by limiting which machines can send to your SMTP connector.  Actually only your firewall / ISA should sent straight to your SMTP hub, and all else should be refused.  Only exceptions should be allowed (like helpdesk tool which sends mail etc).

    Once stopped you still need to find the affected machine, but at least it's harmless.  Also make sure SMTP can only send to the outside world from your Exchange hub, or your company may find itself on spam blacklists soon.

    If it's MAPI, then do you have a antivirus tool installed on all workstations?
    LVL 2

    Expert Comment


    Author Comment


    This looks like the right place to catch the problem. I have installed wireshark and started capture, have messed around but can't see exactly how I filter only smtp traffic? Can you advise?

    LVL 12

    Expert Comment

    by:Mahmoud Sabry
    you can find detailed log for this using more scenario (this will show you the sender IP address)

    1. as you installed Antispam on the server, then antispam agent logging is enabled, to see the log of the antispam agent, you can find it in the hub server in the below path

    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

    2. you can enable receive connector logging on the recive connector, to do this
    open EMC, go to server configuration , HUB, right click the receive connector , properties
    then change protocol logging level to verbose

    to force the logging to start immediatly, restart the microsoft exchange transport service on the server

    you can find the log for the receive connector in the below path
    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
    LVL 6

    Expert Comment

    Well, as I understand it, you have a problem with a pc or server in your local network that is sending mail to your SMTP gateway.  That SMTP gateway is at this point open to all.  That can be changed.  It should actuall only accept inbound traffic from either your firewall / content filtering application, or any predefined list of machines that is allowed to send, like your helpdesk application.

    In wireshark, you can filter per port (25) but also protocols.  I usually prefer to capture everything and the during the display part filter out / in what I need.  When you do it during display, you can just point to a frame and use the "follow TCP stream" function.  That will actually also display the filter for you.

    Author Comment


    This is gone on for a number of days and no-one seems to be able to at least offer me a rule or something that says drop all mail send from external email address from inside the organisation (that's the only thing that is common, the mails are send from external address to external address)....there surely has to be someway to stop the mail flowing out first and foremost without effecting mail from domain addresses. I can find the problem after but this is vital i at least drop these mails before they get outside to interntet....



    Accepted Solution

    Issue resolved by Microsoft. Disabled internal relay and allowed anonymous users on default connector

    Author Closing Comment

    Micr0soft solved this one.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now