Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Exchange 2003 Spam Issues

Posted on 2012-04-10
14
Medium Priority
?
543 Views
Last Modified: 2012-04-10
Hi,
 I am having a nightmare with our exchange server getting blocklisted every now and again. The queues appear to be filling up with junk emails. I have ran scans on the server a number of times but nothing has been found. ie. sophos, adaware, and all known good scans have been done.

The server is an exchange 2003 box with around 100+ users on it so it is business critical.

How should I go about finding the culprit machine or mailbox spitting spam. Should I network monitor it (which slows the computer down massively) or any other way?
in order to send emails out temporarily, we are using a borrowed smart host but need to eradicate the issue sooner rather than later.

looking forward to some expert advice.
0
Comment
Question by:Kash
  • 7
  • 6
14 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 37826494
You are probably an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan
0
 
LVL 19

Author Comment

by:Kash
ID: 37826556
hello Alan,
     I have done all that. The only thing I did not do was to enable diagnostics logging for event ID 1708. I am doing that now and will keep you posted.

thanks
Kash
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37826641
Which bits had you done already?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 9

Expert Comment

by:araberuni
ID: 37826683
What sort of Antispam you are using? Cisco IronPort or TrendMicro scanmail
You must have to have a Antispam software or Appliance installed.
here are some antispam software/cloud solutions
http://www.trendmicro.com/us/enterprise/network-web-messaging-security/scanmail-microsoft-exchange/index.html
http://www.symantec.com/email-security-cloud

Check here http://www.mxtoolbox.com/blacklists.aspx where your server is balcklisted or not
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37826689
This is not something that Anti-Spam is going to resolve.
0
 
LVL 19

Author Comment

by:Kash
ID: 37827121
update. diagnostic logging found an admin account (other than administrator) being authenticated. Password has been changed.

The server is not a relay server.

I know the server is blacklisted at UCE and JustSpam.org. There are only 2 ways to delist first being wait and second to pay for to get delisted which I take is causing the issue them sending emails out.

Example Email delivery mail:

Your message did not reach some or all of the intended recipients.

 Subject:      test
Sent:      4/10/2012 12:10 PM

The following recipient(s) could not be reached:

  ****@***.co.uk on 4/10/2012 12:11 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <mail.serverdnsname.co.uk #5.7.1 smtp;550 5.7.1 Recipient rejected (R1)>


should configuring another send connector to deliver using smarthost not rectify the issue or is it still appearing to be delivered using the email server in question.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827266
Okay - so you have found the account and changed the password which is good.  If you haven't restarted the SMTP Service - make sure you do as the account can still be abused until you do.

The mail-flow issues will be because you are blacklisted and will eventually go away, but you can request delisting (I wouldn't pay for it) and at worst, setup a new SMTP Connector to use your ISP's mailserver as a smarthost for the domains with problems - or all domains for the time being until you are delisted from the blacklist site.

If you want to prevent this from happening again - implement the suggestion in my second blog and remove the Integrated / Basic authentication from your SMTP Virtual Server.
0
 
LVL 19

Author Comment

by:Kash
ID: 37827335
ok mate will do.
though it is blacklisted but the emails are flowing fine though some bounce backs are inevitable.

i did restart SMTP service so it is ok now.

for some reason, the emails (apart from internal) have stopped coming through now. ??

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827354
Did you untick Anonymous Authentication too?  If you did - please put it back and restart the SMTP Service as without Anonymous Authentication - you won't get any emails.
0
 
LVL 19

Author Comment

by:Kash
ID: 37827404
Hi Alan,
 This is how it was and is. ?
Screen-Shot-2012-04-10-at-13.50..png
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827407
That's fine - is your SMTP Service started?
0
 
LVL 19

Author Comment

by:Kash
ID: 37827417
i think it was just a lag. emails are coming through fine.
0
 
LVL 19

Author Closing Comment

by:Kash
ID: 37827421
top man. I am Alan's student now :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827428
Excellent stuff - glad all has calmed itself down now, that mail is flowing and thanks for the points.

Alan
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question