John Achille
asked on
how do I track down spam offender?
recently we have had a high rate of spam. I am not sure how to track it down from the exchange server to offending workstation. we have now lost access to our relay host because of this. any help would be beneficial.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
also I am extremely concerned about this happening again. How do I insure this is the actual issue?
No - not at all. If you disable Integrated Windows and Basic Authentication on your SMTP Virtual Server, you are stopping spammers from sending usernames and passwords to your server to access your server to relay off.
OWA and RPC uses HTTPS, so a totally different way of communicating.
It is possible that you have an infected computer remotely using RPC over HTTPS and that this is sending spam to your server to relay, but this is not as common as a hacker brute force attacking your server and finding a weak password.
OWA and RPC uses HTTPS, so a totally different way of communicating.
It is possible that you have an infected computer remotely using RPC over HTTPS and that this is sending spam to your server to relay, but this is not as common as a hacker brute force attacking your server and finding a weak password.
ASKER
disabling for delivery or authentication?
Authentication.
Make sure you restart the Simple Mail Transfer Protocol Service afterwards.
ASKER
should I clean out the quese or will exchange do it for me?
ASKER
queue's I meant
Exchange will try to keep sending.
Download the attached and use the tool to clear the queues.
Rename the attached to a .exe file (can't attach an exe file in EE).
Guidance on how to use it can be found here:
http://community.spiceworks.com/how_to/show/267
But the link no longer works
aqadmcli.txt
Download the attached and use the tool to clear the queues.
Rename the attached to a .exe file (can't attach an exe file in EE).
Guidance on how to use it can be found here:
http://community.spiceworks.com/how_to/show/267
But the link no longer works
aqadmcli.txt
ASKER
how would I explain this to a non-tech? Reason why I ask is that originally I thought it was a polluted workstation which I understand completely, but how would a RPC-https user be exploited by a hacker?
If a virus gets onto their computer and starts sending out emails using Outlook, then if they are connected via RPC over HTTPS, the email will get sent to your server and thus out from your server. This is very uncommon, but not impossible. I have known personally of one instance where this happened to a customer of mine.
It isn't a hacker exploiting RPC over HTTPS, but simply an infected computer not using its own SMTP Engine.
It isn't a hacker exploiting RPC over HTTPS, but simply an infected computer not using its own SMTP Engine.
ASKER
Im sorry I meant Your comment: ID: 38002168 may be an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam) & how can I track it down?
ASKER
Now we have one user getting:
Your message did not reach some or all of the intended recipients.
Subject: Re: Follow Up
Sent: 5/23/2012 12:25 PM
The following recipient(s) cannot be reached:
them@cbs.com on 5/23/2012 12:26 PM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<exchange.abc.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.456.78.900] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft .com.>
Your message did not reach some or all of the intended recipients.
Subject: Re: Follow Up
Sent: 5/23/2012 12:25 PM
The following recipient(s) cannot be reached:
them@cbs.com on 5/23/2012 12:26 PM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<exchange.abc.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.456.78.900] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft
Read my article in my first comment - it gives you guidance on how to track down the offending account.
You will be Blacklisted on various Blacklisting sites.
Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
You will be Blacklisted on various Blacklisting sites.
Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
ASKER
checked the blacklists and were not listed.
Well according to your last post, you must be listed somewhere. Not sure where, but the message is saying you are blacklisted.
ASKER
then it well maybe with the actual receiving server that's blacklisting us. contacting the delist.forefront@messaging .microsoft .com for support.
ASKER
as allways i learn from "The Alan"! Thank you!
ASKER