Exchange 2003 Spam Issues

Hi,
 I am having a nightmare with our exchange server getting blocklisted every now and again. The queues appear to be filling up with junk emails. I have ran scans on the server a number of times but nothing has been found. ie. sophos, adaware, and all known good scans have been done.

The server is an exchange 2003 box with around 100+ users on it so it is business critical.

How should I go about finding the culprit machine or mailbox spitting spam. Should I network monitor it (which slows the computer down massively) or any other way?
in order to send emails out temporarily, we are using a borrowed smart host but need to eradicate the issue sooner rather than later.

looking forward to some expert advice.
LVL 19
Kash2nd Line EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
You are probably an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kash2nd Line EngineerAuthor Commented:
hello Alan,
     I have done all that. The only thing I did not do was to enable diagnostics logging for event ID 1708. I am doing that now and will keep you posted.

thanks
Kash
Alan HardistyCo-OwnerCommented:
Which bits had you done already?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

araberuniCommented:
What sort of Antispam you are using? Cisco IronPort or TrendMicro scanmail
You must have to have a Antispam software or Appliance installed.
here are some antispam software/cloud solutions
http://www.trendmicro.com/us/enterprise/network-web-messaging-security/scanmail-microsoft-exchange/index.html
http://www.symantec.com/email-security-cloud

Check here http://www.mxtoolbox.com/blacklists.aspx where your server is balcklisted or not
Alan HardistyCo-OwnerCommented:
This is not something that Anti-Spam is going to resolve.
Kash2nd Line EngineerAuthor Commented:
update. diagnostic logging found an admin account (other than administrator) being authenticated. Password has been changed.

The server is not a relay server.

I know the server is blacklisted at UCE and JustSpam.org. There are only 2 ways to delist first being wait and second to pay for to get delisted which I take is causing the issue them sending emails out.

Example Email delivery mail:

Your message did not reach some or all of the intended recipients.

 Subject:      test
Sent:      4/10/2012 12:10 PM

The following recipient(s) could not be reached:

  ****@***.co.uk on 4/10/2012 12:11 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <mail.serverdnsname.co.uk #5.7.1 smtp;550 5.7.1 Recipient rejected (R1)>


should configuring another send connector to deliver using smarthost not rectify the issue or is it still appearing to be delivered using the email server in question.
Alan HardistyCo-OwnerCommented:
Okay - so you have found the account and changed the password which is good.  If you haven't restarted the SMTP Service - make sure you do as the account can still be abused until you do.

The mail-flow issues will be because you are blacklisted and will eventually go away, but you can request delisting (I wouldn't pay for it) and at worst, setup a new SMTP Connector to use your ISP's mailserver as a smarthost for the domains with problems - or all domains for the time being until you are delisted from the blacklist site.

If you want to prevent this from happening again - implement the suggestion in my second blog and remove the Integrated / Basic authentication from your SMTP Virtual Server.
Kash2nd Line EngineerAuthor Commented:
ok mate will do.
though it is blacklisted but the emails are flowing fine though some bounce backs are inevitable.

i did restart SMTP service so it is ok now.

for some reason, the emails (apart from internal) have stopped coming through now. ??

thanks
Alan HardistyCo-OwnerCommented:
Did you untick Anonymous Authentication too?  If you did - please put it back and restart the SMTP Service as without Anonymous Authentication - you won't get any emails.
Kash2nd Line EngineerAuthor Commented:
Hi Alan,
 This is how it was and is. ?
Screen-Shot-2012-04-10-at-13.50..png
Alan HardistyCo-OwnerCommented:
That's fine - is your SMTP Service started?
Kash2nd Line EngineerAuthor Commented:
i think it was just a lag. emails are coming through fine.
Kash2nd Line EngineerAuthor Commented:
top man. I am Alan's student now :)
Alan HardistyCo-OwnerCommented:
Excellent stuff - glad all has calmed itself down now, that mail is flowing and thanks for the points.

Alan
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.