?
Solved

Suspicious/abusive email sending behavior from our server

Posted on 2012-03-20
8
Medium Priority
?
1,139 Views
Last Modified: 2012-03-22
Hi There
Yesterday our server was flagged as been abusive from hotmail/live/msn.

We have information indicating suspicious/abusive email sending behavior from IP (200.42.208.2):

Date of abuse: 3/19/2012

Total RCPT To commands sent: 115282.00

Total email Sent:  327.00

Because of the large difference in recept to commands versus email sent, this IP has been flagged for name space mining. Windows Live Hotmail is blocking (or filtering) all email sent from this IP. 

Open in new window


I ask them if they're could identified whom was send it the emails but said that information is classified.

So I have to check our server logs (exchange server 2003) and see whom was sending the emails but I've never done that.

We have to exchange server, one manage the external email so to me that obvious where I have to look. The information provide by Microsoft said the problem happen yesterday (march 19) so I have the log file but I don't know what to look for inside.

Can someone please help me find what to look for, so I can disable the origin account or implement what's need it.

Thank you

PD : Excuse my bad English
0
Comment
Question by:Tri_Support
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 37742269
my first question would be, is the ip address of 200.42.208.2, reserved only for your Exchange server, or are other devices NAT'ed through this as well?
0
 

Author Comment

by:Tri_Support
ID: 37742290
Just for my Exchange server. Nothing else.
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 2000 total points
ID: 37742620
If you have the logs, you will need to start reviewing them. It should not be to hard to find if there are that many attempts to send emails. You should see a bunch of RCPT's that don't have 250 acknowledgments.

You can also run something like netstat -ao to see what open connections you have and what PID is running those connections. That way you can tell if it is something besides Exchange.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 

Author Comment

by:Tri_Support
ID: 37742662
I've checked the log and I found a massive amount of emails sent to hotmail yesterday from one account.

We have proceed to block that account and block the access to our network.

Next step should be talk to him and check his machine.

Let's hope this it's fine to them, I mean, to Microsoft
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743365
It might be related to virus / worm on the machine.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37743376
If this is the case, you should consider blocking port 25 to the workstations. Outlook uses other ports, so port 25 should not be needed in most cases.
0
 

Author Comment

by:Tri_Support
ID: 37743550
Our 25 is blocked by Mcafeee Virus in all workstation.

If a virus, it took his mail address and spread using outlook.

Now I realize that could be an issue with a PST, as technical support I've seen cases where the user try to send an email, the pst got corrupted and the system continues generating the email.

Of course it could be a case well the user didn't realize how to send massive emails or abusing the system.

We are investigating.
0
 

Author Closing Comment

by:Tri_Support
ID: 37752151
Fast and reliable
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question