Solved

Suspicious/abusive email sending behavior from our server

Posted on 2012-03-20
8
1,117 Views
Last Modified: 2012-03-22
Hi There
Yesterday our server was flagged as been abusive from hotmail/live/msn.

We have information indicating suspicious/abusive email sending behavior from IP (200.42.208.2):

Date of abuse: 3/19/2012

Total RCPT To commands sent: 115282.00

Total email Sent:  327.00

Because of the large difference in recept to commands versus email sent, this IP has been flagged for name space mining. Windows Live Hotmail is blocking (or filtering) all email sent from this IP. 

Open in new window


I ask them if they're could identified whom was send it the emails but said that information is classified.

So I have to check our server logs (exchange server 2003) and see whom was sending the emails but I've never done that.

We have to exchange server, one manage the external email so to me that obvious where I have to look. The information provide by Microsoft said the problem happen yesterday (march 19) so I have the log file but I don't know what to look for inside.

Can someone please help me find what to look for, so I can disable the origin account or implement what's need it.

Thank you

PD : Excuse my bad English
0
Comment
Question by:Tri_Support
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 12

Expert Comment

by:ryan80
ID: 37742269
my first question would be, is the ip address of 200.42.208.2, reserved only for your Exchange server, or are other devices NAT'ed through this as well?
0
 

Author Comment

by:Tri_Support
ID: 37742290
Just for my Exchange server. Nothing else.
0
 
LVL 12

Accepted Solution

by:
ryan80 earned 500 total points
ID: 37742620
If you have the logs, you will need to start reviewing them. It should not be to hard to find if there are that many attempts to send emails. You should see a bunch of RCPT's that don't have 250 acknowledgments.

You can also run something like netstat -ao to see what open connections you have and what PID is running those connections. That way you can tell if it is something besides Exchange.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Tri_Support
ID: 37742662
I've checked the log and I found a massive amount of emails sent to hotmail yesterday from one account.

We have proceed to block that account and block the access to our network.

Next step should be talk to him and check his machine.

Let's hope this it's fine to them, I mean, to Microsoft
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37743365
It might be related to virus / worm on the machine.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37743376
If this is the case, you should consider blocking port 25 to the workstations. Outlook uses other ports, so port 25 should not be needed in most cases.
0
 

Author Comment

by:Tri_Support
ID: 37743550
Our 25 is blocked by Mcafeee Virus in all workstation.

If a virus, it took his mail address and spread using outlook.

Now I realize that could be an issue with a PST, as technical support I've seen cases where the user try to send an email, the pst got corrupted and the system continues generating the email.

Of course it could be a case well the user didn't realize how to send massive emails or abusing the system.

We are investigating.
0
 

Author Closing Comment

by:Tri_Support
ID: 37752151
Fast and reliable
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nearly six years ago I was hired by a company to be their senior server engineer. One of my first projects was to implement Exchange Server 2007 on a Windows Server 2008 Single Copy Cluster for high availability. That was the easy part; read on to l…
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question