Solved

Suspicious/abusive email sending behavior from our server

Posted on 2012-03-20
8
1,129 Views
Last Modified: 2012-03-22
Hi There
Yesterday our server was flagged as been abusive from hotmail/live/msn.

We have information indicating suspicious/abusive email sending behavior from IP (200.42.208.2):

Date of abuse: 3/19/2012

Total RCPT To commands sent: 115282.00

Total email Sent:  327.00

Because of the large difference in recept to commands versus email sent, this IP has been flagged for name space mining. Windows Live Hotmail is blocking (or filtering) all email sent from this IP. 

Open in new window


I ask them if they're could identified whom was send it the emails but said that information is classified.

So I have to check our server logs (exchange server 2003) and see whom was sending the emails but I've never done that.

We have to exchange server, one manage the external email so to me that obvious where I have to look. The information provide by Microsoft said the problem happen yesterday (march 19) so I have the log file but I don't know what to look for inside.

Can someone please help me find what to look for, so I can disable the origin account or implement what's need it.

Thank you

PD : Excuse my bad English
0
Comment
Question by:Tri_Support
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 37742269
my first question would be, is the ip address of 200.42.208.2, reserved only for your Exchange server, or are other devices NAT'ed through this as well?
0
 

Author Comment

by:Tri_Support
ID: 37742290
Just for my Exchange server. Nothing else.
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37742620
If you have the logs, you will need to start reviewing them. It should not be to hard to find if there are that many attempts to send emails. You should see a bunch of RCPT's that don't have 250 acknowledgments.

You can also run something like netstat -ao to see what open connections you have and what PID is running those connections. That way you can tell if it is something besides Exchange.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Tri_Support
ID: 37742662
I've checked the log and I found a massive amount of emails sent to hotmail yesterday from one account.

We have proceed to block that account and block the access to our network.

Next step should be talk to him and check his machine.

Let's hope this it's fine to them, I mean, to Microsoft
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743365
It might be related to virus / worm on the machine.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37743376
If this is the case, you should consider blocking port 25 to the workstations. Outlook uses other ports, so port 25 should not be needed in most cases.
0
 

Author Comment

by:Tri_Support
ID: 37743550
Our 25 is blocked by Mcafeee Virus in all workstation.

If a virus, it took his mail address and spread using outlook.

Now I realize that could be an issue with a PST, as technical support I've seen cases where the user try to send an email, the pst got corrupted and the system continues generating the email.

Of course it could be a case well the user didn't realize how to send massive emails or abusing the system.

We are investigating.
0
 

Author Closing Comment

by:Tri_Support
ID: 37752151
Fast and reliable
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question