[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 211
  • Last Modified:

Find IP of Spammer

I have a windows 2003 R2 server with Exchange 2007 installed. There is a machine on our network which is spamming i believe but cannot find it. The Queues are filling up with spam from various addresses. I can't find any info on the machine anywhere. I want to know how to

1. Stop mail from non authenticated user from sending and
2. How to find the machine sending this crap.

I have enabled logging on the SMTP sender so i can see what is sending (but it just says my mail server.) I have asked this question a number of time and keep getting referals to articles which have no relevance to my issue. I simply need to find the best way to stop unauthenticated users sending mails and where this machine is....

1 Solution
in the past I have used wireshark (installed on the server and listening on port 25).
it works very well and should lead you to the offending machine within a very short time.
if it is indeed coming from within your LAN, then there really is no way to stop it other than by finding and killing whatever malware is in the infected machine.
if it is coming from outside, then you are an open relay... and that needs to be closed. I dont have the exact procedure handy, but it is available on the Microsoft website.
If it is inside your network, you could stop it by limiting which machines can send to your SMTP connector.  Actually only your firewall / ISA should sent straight to your SMTP hub, and all else should be refused.  Only exceptions should be allowed (like helpdesk tool which sends mail etc).

Once stopped you still need to find the affected machine, but at least it's harmless.  Also make sure SMTP can only send to the outside world from your Exchange hub, or your company may find itself on spam blacklists soon.

If it's MAPI, then do you have a antivirus tool installed on all workstations?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

ItomicltdAuthor Commented:

This looks like the right place to catch the problem. I have installed wireshark and started capture, have messed around but can't see exactly how I filter only smtp traffic? Can you advise?

Mahmoud SabryCommented:
you can find detailed log for this using more scenario (this will show you the sender IP address)

1. as you installed Antispam on the server, then antispam agent logging is enabled, to see the log of the antispam agent, you can find it in the hub server in the below path

C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\AgentLog

2. you can enable receive connector logging on the recive connector, to do this
open EMC, go to server configuration , HUB, right click the receive connector , properties
then change protocol logging level to verbose

to force the logging to start immediatly, restart the microsoft exchange transport service on the server

you can find the log for the receive connector in the below path
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\ProtocolLog\SmtpReceive
Well, as I understand it, you have a problem with a pc or server in your local network that is sending mail to your SMTP gateway.  That SMTP gateway is at this point open to all.  That can be changed.  It should actuall only accept inbound traffic from either your firewall / content filtering application, or any predefined list of machines that is allowed to send, like your helpdesk application.

In wireshark, you can filter per port (25) but also protocols.  I usually prefer to capture everything and the during the display part filter out / in what I need.  When you do it during display, you can just point to a frame and use the "follow TCP stream" function.  That will actually also display the filter for you.
ItomicltdAuthor Commented:

This is gone on for a number of days and no-one seems to be able to at least offer me a rule or something that says drop all mail send from external email address from inside the organisation (that's the only thing that is common, the mails are send from external address to external address)....there surely has to be someway to stop the mail flowing out first and foremost without effecting mail from domain addresses. I can find the problem after but this is vital i at least drop these mails before they get outside to interntet....


ItomicltdAuthor Commented:
Issue resolved by Microsoft. Disabled internal relay and allowed anonymous users on default connector
ItomicltdAuthor Commented:
Micr0soft solved this one.

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now