Unsoliciated Emails

Last week we had 4,400+ e-mails in out output quue in our Exchange 2003 server.  We changed all of the administrator's passwords and the problem appeared to have stopped.  This morning I notice the same number of e-mails int the output queue.  The mail's subject is "Hello dear nenber" and the sender is "Satander - Online Banking"..  I checked to see if the mail server was not an Open Relay and it does not seem to be.  I've cheked the and have a number of Event id 7000 "Tis is an SMTP protocol log for virtual ID 1, connectino $70803. .....The full command was sent from mail from <notice@santander.co.uk".
I am not even sure where to start looking for the cause of this problem.  Any help would really be appreciated.
Thanks
webentprAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ShrColCommented:
Could well be malware on one of your client computers. Make sure your antivirus is up to date and do some scanning.
0
webentprAuthor Commented:
Thanks - I've already started running Malwarebytes on all.  I will post the results when I am done.  Is there anyway to tell which workstation sent the mail?
0
davealfordIt SupportCommented:
It's not SBS2003 is it?

Do you restrict email to only addresses that exist in your domain?

Have a look at the messages in  the queues - are they 'bounced' messages (to undeliverable addresses in your domain) or relayed messages?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

webentprAuthor Commented:
HI -
Yes it is SBS2003.  I am not sure how to restrict to only emails in my domain.  There are both bounce and non-bounce messages.
0
davealfordIt SupportCommented:
Are you using POP3 connector to collect email?
If so, there was a known issue with Exhange on SBS2003 where by, an incoming email sent to a distribution list via BCC would arrive at the server and, rather than simply deliver/bounce the message it would bounce the original message to everyone on the distribution list ... and, of course, send a copy to itself as one of your users is on the list. ...
http://msmvps.com/blogs/bradley/archive/2004/05/21/6920.aspx
http://support.microsoft.com/?id=835734
might fix it

0
netballiCommented:
IT feels like these are NDR messages stuck in your output queue.

To resolve these kind of mails you can apply filter to accept only messages  for valid recipients in your domain so that spam can be kept out.
0
netballiCommented:
Try the following link for blocking spam with exchange 2003

http://www.petri.co.il/block_spam_with_exchange_2003.htm
0
webentprAuthor Commented:
Hi -
Davealford - yes we are using POP3 interface.   I have downloaded and ran the update.  I appreciate the hint.  Thanks
Netballi - thank you - some are NDR but most of them mail is simply the Spam.  The queue has gone from 4,500 to 3,434 now.  I hate to ask but do you have documentation on how to set a filter to accept only messages from valid recipents?  i did change the filter from accept to delete.  Thank you
0
netballiCommented:
Hello,

 You can try the following link for Step-By-Step instructions of how to configure Recipient Filtering in Exchange 2003

http://www.arrowmail.co.uk/howto/recfilt.aspx
0
webentprAuthor Commented:
Excellent - thanks I will try it.
0
webentprAuthor Commented:
Actually I checked that and it was already set. Thanks
0
netballiCommented:
If that is all set then you should look for a industry standard Spam filter solution on the perimeter of your network to block any Spam.
0
webentprAuthor Commented:
thanks - I really appreciate your input.
0
davealfordIt SupportCommented:
You could manually delete items from the queue.

As you're using POP3 conector, the valid recipient filter won't be of use. However, if you want to get email delivered direct to your server then ....

To restrict inbound email to valid recipients -
Start Exchange System Manager
Expand Global Settings
Right click Message Delivery and select Properties
On Recipient Filtering tab, check the "Filter Recipients who are not in the directory".

You need to enable Recipient Filter on the virtual SMTP -
Expand Servers
Expand "YourServer"
Expand Protocols
Expand SMTP
RightClick on Default SMTP Virtual Server and select Properties
On the General Tab, Click Advanced button
Select server 's IP and click Edit
Check Apply Recipient Filter is checked

One advantage of havng email delivered direct is you can aso use Connection Filters (BlockLists or Blacklists etc). The minimum I use is SPAMHAUS zen.spamhaus.org

THe connection filters are added in the same dialog as recipient filters of Global/Message Delivery. Just add zen.spamhaus.org as the DNS suffix of provider and sending IP addres on that list will be blocked. I also tend to use SORBS dynamic IP list also as this willblock email being sent from "Dynamically assigned" IP addresses (most ADSL connections IP addresses are in the Dynamic IP pools) - this will deny any email sent direct from ADSL or dialup type connections so, may not be right for everyone.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
webentprAuthor Commented:
Hi Davealford:

Thank you so much for the input.  I will ty thos today.  The I have seen the following pattern - this problem ususally (3 weeks in a row) occurs between Sunday night and Monday morning.  Since this is a SBS 2003 I suspect that maybe someone's home workstation is infected and the mail is coming through Remote Work Place.  I've asked the client to verify that all internal and external workstations run Malwarebytes and to confirm the workstations are clean.

thank you for not letting this slide.
0
webentprAuthor Commented:
Thanks - this is the first Monday in 3 weeks that there were no unsolicited mail.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.