Solved

Exchange 2003 Spam Issues

Posted on 2012-04-10
14
489 Views
Last Modified: 2012-04-10
Hi,
 I am having a nightmare with our exchange server getting blocklisted every now and again. The queues appear to be filling up with junk emails. I have ran scans on the server a number of times but nothing has been found. ie. sophos, adaware, and all known good scans have been done.

The server is an exchange 2003 box with around 100+ users on it so it is business critical.

How should I go about finding the culprit machine or mailbox spitting spam. Should I network monitor it (which slows the computer down massively) or any other way?
in order to send emails out temporarily, we are using a borrowed smart host but need to eradicate the issue sooner rather than later.

looking forward to some expert advice.
0
Comment
Question by:Kash
  • 7
  • 6
14 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
You are probably an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
hello Alan,
     I have done all that. The only thing I did not do was to enable diagnostics logging for event ID 1708. I am doing that now and will keep you posted.

thanks
Kash
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Which bits had you done already?
0
 
LVL 9

Expert Comment

by:araberuni
Comment Utility
What sort of Antispam you are using? Cisco IronPort or TrendMicro scanmail
You must have to have a Antispam software or Appliance installed.
here are some antispam software/cloud solutions
http://www.trendmicro.com/us/enterprise/network-web-messaging-security/scanmail-microsoft-exchange/index.html
http://www.symantec.com/email-security-cloud

Check here http://www.mxtoolbox.com/blacklists.aspx where your server is balcklisted or not
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
This is not something that Anti-Spam is going to resolve.
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
update. diagnostic logging found an admin account (other than administrator) being authenticated. Password has been changed.

The server is not a relay server.

I know the server is blacklisted at UCE and JustSpam.org. There are only 2 ways to delist first being wait and second to pay for to get delisted which I take is causing the issue them sending emails out.

Example Email delivery mail:

Your message did not reach some or all of the intended recipients.

 Subject:      test
Sent:      4/10/2012 12:10 PM

The following recipient(s) could not be reached:

  ****@***.co.uk on 4/10/2012 12:11 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <mail.serverdnsname.co.uk #5.7.1 smtp;550 5.7.1 Recipient rejected (R1)>


should configuring another send connector to deliver using smarthost not rectify the issue or is it still appearing to be delivered using the email server in question.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - so you have found the account and changed the password which is good.  If you haven't restarted the SMTP Service - make sure you do as the account can still be abused until you do.

The mail-flow issues will be because you are blacklisted and will eventually go away, but you can request delisting (I wouldn't pay for it) and at worst, setup a new SMTP Connector to use your ISP's mailserver as a smarthost for the domains with problems - or all domains for the time being until you are delisted from the blacklist site.

If you want to prevent this from happening again - implement the suggestion in my second blog and remove the Integrated / Basic authentication from your SMTP Virtual Server.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 19

Author Comment

by:Kash
Comment Utility
ok mate will do.
though it is blacklisted but the emails are flowing fine though some bounce backs are inevitable.

i did restart SMTP service so it is ok now.

for some reason, the emails (apart from internal) have stopped coming through now. ??

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Did you untick Anonymous Authentication too?  If you did - please put it back and restart the SMTP Service as without Anonymous Authentication - you won't get any emails.
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
Hi Alan,
 This is how it was and is. ?
Screen-Shot-2012-04-10-at-13.50..png
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
That's fine - is your SMTP Service started?
0
 
LVL 19

Author Comment

by:Kash
Comment Utility
i think it was just a lag. emails are coming through fine.
0
 
LVL 19

Author Closing Comment

by:Kash
Comment Utility
top man. I am Alan's student now :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Excellent stuff - glad all has calmed itself down now, that mail is flowing and thanks for the points.

Alan
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now