Solved

Exchange 2003 Spam Issues

Posted on 2012-04-10
14
510 Views
Last Modified: 2012-04-10
Hi,
 I am having a nightmare with our exchange server getting blocklisted every now and again. The queues appear to be filling up with junk emails. I have ran scans on the server a number of times but nothing has been found. ie. sophos, adaware, and all known good scans have been done.

The server is an exchange 2003 box with around 100+ users on it so it is business critical.

How should I go about finding the culprit machine or mailbox spitting spam. Should I network monitor it (which slows the computer down massively) or any other way?
in order to send emails out temporarily, we are using a borrowed smart host but need to eradicate the issue sooner rather than later.

looking forward to some expert advice.
0
Comment
Question by:Kash
  • 7
  • 6
14 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37826494
You are probably an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan
0
 
LVL 19

Author Comment

by:Kash
ID: 37826556
hello Alan,
     I have done all that. The only thing I did not do was to enable diagnostics logging for event ID 1708. I am doing that now and will keep you posted.

thanks
Kash
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37826641
Which bits had you done already?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 9

Expert Comment

by:araberuni
ID: 37826683
What sort of Antispam you are using? Cisco IronPort or TrendMicro scanmail
You must have to have a Antispam software or Appliance installed.
here are some antispam software/cloud solutions
http://www.trendmicro.com/us/enterprise/network-web-messaging-security/scanmail-microsoft-exchange/index.html
http://www.symantec.com/email-security-cloud

Check here http://www.mxtoolbox.com/blacklists.aspx where your server is balcklisted or not
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37826689
This is not something that Anti-Spam is going to resolve.
0
 
LVL 19

Author Comment

by:Kash
ID: 37827121
update. diagnostic logging found an admin account (other than administrator) being authenticated. Password has been changed.

The server is not a relay server.

I know the server is blacklisted at UCE and JustSpam.org. There are only 2 ways to delist first being wait and second to pay for to get delisted which I take is causing the issue them sending emails out.

Example Email delivery mail:

Your message did not reach some or all of the intended recipients.

 Subject:      test
Sent:      4/10/2012 12:10 PM

The following recipient(s) could not be reached:

  ****@***.co.uk on 4/10/2012 12:11 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <mail.serverdnsname.co.uk #5.7.1 smtp;550 5.7.1 Recipient rejected (R1)>


should configuring another send connector to deliver using smarthost not rectify the issue or is it still appearing to be delivered using the email server in question.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827266
Okay - so you have found the account and changed the password which is good.  If you haven't restarted the SMTP Service - make sure you do as the account can still be abused until you do.

The mail-flow issues will be because you are blacklisted and will eventually go away, but you can request delisting (I wouldn't pay for it) and at worst, setup a new SMTP Connector to use your ISP's mailserver as a smarthost for the domains with problems - or all domains for the time being until you are delisted from the blacklist site.

If you want to prevent this from happening again - implement the suggestion in my second blog and remove the Integrated / Basic authentication from your SMTP Virtual Server.
0
 
LVL 19

Author Comment

by:Kash
ID: 37827335
ok mate will do.
though it is blacklisted but the emails are flowing fine though some bounce backs are inevitable.

i did restart SMTP service so it is ok now.

for some reason, the emails (apart from internal) have stopped coming through now. ??

thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827354
Did you untick Anonymous Authentication too?  If you did - please put it back and restart the SMTP Service as without Anonymous Authentication - you won't get any emails.
0
 
LVL 19

Author Comment

by:Kash
ID: 37827404
Hi Alan,
 This is how it was and is. ?
Screen-Shot-2012-04-10-at-13.50..png
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827407
That's fine - is your SMTP Service started?
0
 
LVL 19

Author Comment

by:Kash
ID: 37827417
i think it was just a lag. emails are coming through fine.
0
 
LVL 19

Author Closing Comment

by:Kash
ID: 37827421
top man. I am Alan's student now :)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37827428
Excellent stuff - glad all has calmed itself down now, that mail is flowing and thanks for the points.

Alan
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question