Solved

Suspicious/abusive email sending behavior from our server

Posted on 2012-03-20
8
1,096 Views
Last Modified: 2012-03-22
Hi There
Yesterday our server was flagged as been abusive from hotmail/live/msn.

We have information indicating suspicious/abusive email sending behavior from IP (200.42.208.2):

Date of abuse: 3/19/2012

Total RCPT To commands sent: 115282.00

Total email Sent:  327.00

Because of the large difference in recept to commands versus email sent, this IP has been flagged for name space mining. Windows Live Hotmail is blocking (or filtering) all email sent from this IP. 

Open in new window


I ask them if they're could identified whom was send it the emails but said that information is classified.

So I have to check our server logs (exchange server 2003) and see whom was sending the emails but I've never done that.

We have to exchange server, one manage the external email so to me that obvious where I have to look. The information provide by Microsoft said the problem happen yesterday (march 19) so I have the log file but I don't know what to look for inside.

Can someone please help me find what to look for, so I can disable the origin account or implement what's need it.

Thank you

PD : Excuse my bad English
0
Comment
Question by:Tri_Support
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 37742269
my first question would be, is the ip address of 200.42.208.2, reserved only for your Exchange server, or are other devices NAT'ed through this as well?
0
 

Author Comment

by:Tri_Support
ID: 37742290
Just for my Exchange server. Nothing else.
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37742620
If you have the logs, you will need to start reviewing them. It should not be to hard to find if there are that many attempts to send emails. You should see a bunch of RCPT's that don't have 250 acknowledgments.

You can also run something like netstat -ao to see what open connections you have and what PID is running those connections. That way you can tell if it is something besides Exchange.
0
 

Author Comment

by:Tri_Support
ID: 37742662
I've checked the log and I found a massive amount of emails sent to hotmail yesterday from one account.

We have proceed to block that account and block the access to our network.

Next step should be talk to him and check his machine.

Let's hope this it's fine to them, I mean, to Microsoft
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743365
It might be related to virus / worm on the machine.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37743376
If this is the case, you should consider blocking port 25 to the workstations. Outlook uses other ports, so port 25 should not be needed in most cases.
0
 

Author Comment

by:Tri_Support
ID: 37743550
Our 25 is blocked by Mcafeee Virus in all workstation.

If a virus, it took his mail address and spread using outlook.

Now I realize that could be an issue with a PST, as technical support I've seen cases where the user try to send an email, the pst got corrupted and the system continues generating the email.

Of course it could be a case well the user didn't realize how to send massive emails or abusing the system.

We are investigating.
0
 

Author Closing Comment

by:Tri_Support
ID: 37752151
Fast and reliable
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now