Exchange 2003 Spam Issues

Hi,
 I am having a nightmare with our exchange server getting blocklisted every now and again. The queues appear to be filling up with junk emails. I have ran scans on the server a number of times but nothing has been found. ie. sophos, adaware, and all known good scans have been done.

The server is an exchange 2003 box with around 100+ users on it so it is business critical.

How should I go about finding the culprit machine or mailbox spitting spam. Should I network monitor it (which slows the computer down massively) or any other way?
in order to send emails out temporarily, we are using a borrowed smart host but need to eradicate the issue sooner rather than later.

looking forward to some expert advice.
LVL 19
Kash2nd Line EngineerAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
You are probably an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan
0
 
Kash2nd Line EngineerAuthor Commented:
hello Alan,
     I have done all that. The only thing I did not do was to enable diagnostics logging for event ID 1708. I am doing that now and will keep you posted.

thanks
Kash
0
 
Alan HardistyCo-OwnerCommented:
Which bits had you done already?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
araberuniCommented:
What sort of Antispam you are using? Cisco IronPort or TrendMicro scanmail
You must have to have a Antispam software or Appliance installed.
here are some antispam software/cloud solutions
http://www.trendmicro.com/us/enterprise/network-web-messaging-security/scanmail-microsoft-exchange/index.html
http://www.symantec.com/email-security-cloud

Check here http://www.mxtoolbox.com/blacklists.aspx where your server is balcklisted or not
0
 
Alan HardistyCo-OwnerCommented:
This is not something that Anti-Spam is going to resolve.
0
 
Kash2nd Line EngineerAuthor Commented:
update. diagnostic logging found an admin account (other than administrator) being authenticated. Password has been changed.

The server is not a relay server.

I know the server is blacklisted at UCE and JustSpam.org. There are only 2 ways to delist first being wait and second to pay for to get delisted which I take is causing the issue them sending emails out.

Example Email delivery mail:

Your message did not reach some or all of the intended recipients.

 Subject:      test
Sent:      4/10/2012 12:10 PM

The following recipient(s) could not be reached:

  ****@***.co.uk on 4/10/2012 12:11 PM
  You do not have permission to send to this recipient.  For assistance, contact your system administrator.
  <mail.serverdnsname.co.uk #5.7.1 smtp;550 5.7.1 Recipient rejected (R1)>


should configuring another send connector to deliver using smarthost not rectify the issue or is it still appearing to be delivered using the email server in question.
0
 
Alan HardistyCo-OwnerCommented:
Okay - so you have found the account and changed the password which is good.  If you haven't restarted the SMTP Service - make sure you do as the account can still be abused until you do.

The mail-flow issues will be because you are blacklisted and will eventually go away, but you can request delisting (I wouldn't pay for it) and at worst, setup a new SMTP Connector to use your ISP's mailserver as a smarthost for the domains with problems - or all domains for the time being until you are delisted from the blacklist site.

If you want to prevent this from happening again - implement the suggestion in my second blog and remove the Integrated / Basic authentication from your SMTP Virtual Server.
0
 
Kash2nd Line EngineerAuthor Commented:
ok mate will do.
though it is blacklisted but the emails are flowing fine though some bounce backs are inevitable.

i did restart SMTP service so it is ok now.

for some reason, the emails (apart from internal) have stopped coming through now. ??

thanks
0
 
Alan HardistyCo-OwnerCommented:
Did you untick Anonymous Authentication too?  If you did - please put it back and restart the SMTP Service as without Anonymous Authentication - you won't get any emails.
0
 
Kash2nd Line EngineerAuthor Commented:
Hi Alan,
 This is how it was and is. ?
Screen-Shot-2012-04-10-at-13.50..png
0
 
Alan HardistyCo-OwnerCommented:
That's fine - is your SMTP Service started?
0
 
Kash2nd Line EngineerAuthor Commented:
i think it was just a lag. emails are coming through fine.
0
 
Kash2nd Line EngineerAuthor Commented:
top man. I am Alan's student now :)
0
 
Alan HardistyCo-OwnerCommented:
Excellent stuff - glad all has calmed itself down now, that mail is flowing and thanks for the points.

Alan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.