Solved

Suspicious/abusive email sending behavior from our server

Posted on 2012-03-20
8
1,107 Views
Last Modified: 2012-03-22
Hi There
Yesterday our server was flagged as been abusive from hotmail/live/msn.

We have information indicating suspicious/abusive email sending behavior from IP (200.42.208.2):

Date of abuse: 3/19/2012

Total RCPT To commands sent: 115282.00

Total email Sent:  327.00

Because of the large difference in recept to commands versus email sent, this IP has been flagged for name space mining. Windows Live Hotmail is blocking (or filtering) all email sent from this IP. 

Open in new window


I ask them if they're could identified whom was send it the emails but said that information is classified.

So I have to check our server logs (exchange server 2003) and see whom was sending the emails but I've never done that.

We have to exchange server, one manage the external email so to me that obvious where I have to look. The information provide by Microsoft said the problem happen yesterday (march 19) so I have the log file but I don't know what to look for inside.

Can someone please help me find what to look for, so I can disable the origin account or implement what's need it.

Thank you

PD : Excuse my bad English
0
Comment
Question by:Tri_Support
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 37742269
my first question would be, is the ip address of 200.42.208.2, reserved only for your Exchange server, or are other devices NAT'ed through this as well?
0
 

Author Comment

by:Tri_Support
ID: 37742290
Just for my Exchange server. Nothing else.
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37742620
If you have the logs, you will need to start reviewing them. It should not be to hard to find if there are that many attempts to send emails. You should see a bunch of RCPT's that don't have 250 acknowledgments.

You can also run something like netstat -ao to see what open connections you have and what PID is running those connections. That way you can tell if it is something besides Exchange.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:Tri_Support
ID: 37742662
I've checked the log and I found a massive amount of emails sent to hotmail yesterday from one account.

We have proceed to block that account and block the access to our network.

Next step should be talk to him and check his machine.

Let's hope this it's fine to them, I mean, to Microsoft
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743365
It might be related to virus / worm on the machine.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37743376
If this is the case, you should consider blocking port 25 to the workstations. Outlook uses other ports, so port 25 should not be needed in most cases.
0
 

Author Comment

by:Tri_Support
ID: 37743550
Our 25 is blocked by Mcafeee Virus in all workstation.

If a virus, it took his mail address and spread using outlook.

Now I realize that could be an issue with a PST, as technical support I've seen cases where the user try to send an email, the pst got corrupted and the system continues generating the email.

Of course it could be a case well the user didn't realize how to send massive emails or abusing the system.

We are investigating.
0
 

Author Closing Comment

by:Tri_Support
ID: 37752151
Fast and reliable
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question