Avatar of John Achille
John Achille
Flag for United States of America asked on

how do I track down spam offender?

recently we have had a high rate of spam. I am not sure how to track it down from the exchange server to offending workstation. we have now lost access to our relay host because of this. any help would be beneficial.
ExchangeWindows Server 2003

Avatar of undefined
Last Comment
John Achille

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
John Achille

ASKER
the only protocol Im using is HTTP/SMTP. 12 users are using RPC-over https and 105 using OWA. Would disabling that affect my OWA users?
John Achille

ASKER
also I am extremely concerned about this happening again. How do I insure this is the actual issue?
Alan Hardisty

No - not at all.  If you disable Integrated Windows and Basic Authentication on your SMTP Virtual Server, you are stopping spammers from sending usernames and passwords to your server to access your server to relay off.

OWA and RPC uses HTTPS, so a totally different way of communicating.

It is possible that you have an infected computer remotely using RPC over HTTPS and that this is sending spam to your server to relay, but this is not as common as a hacker brute force attacking your server and finding a weak password.
Your help has saved me hundreds of hours of internet surfing.
fblack61
John Achille

ASKER
disabling for delivery or authentication?
Alan Hardisty

Authentication.
Alan Hardisty

Make sure you restart the Simple Mail Transfer Protocol Service afterwards.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
John Achille

ASKER
should I clean out the quese or will exchange do it for me?
John Achille

ASKER
queue's I meant
Alan Hardisty

Exchange will try to keep sending.

Download the attached and use the tool to clear the queues.

Rename the attached to a .exe file (can't attach an exe file in EE).

Guidance on how to use it can be found here:

http://community.spiceworks.com/how_to/show/267

But the link no longer works
aqadmcli.txt
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
John Achille

ASKER
how would I explain this to a non-tech? Reason why I ask is that originally I thought it was a polluted workstation which I understand completely, but how would a RPC-https user be exploited by a hacker?
Alan Hardisty

If a virus gets onto their computer and starts sending out emails using Outlook, then if they are connected via RPC over HTTPS, the email will get sent to your server and thus out from your server.  This is very uncommon, but not impossible.  I have known personally of one instance where this happened to a customer of mine.

It isn't a hacker exploiting RPC over HTTPS, but simply an infected computer not using its own SMTP Engine.
John Achille

ASKER
Im sorry I meant Your comment: ID: 38002168 may be an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam) & how can I track it down?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
John Achille

ASKER
Now we have one user getting:

Your message did not reach some or all of the intended recipients.
      Subject:      Re: Follow Up
      Sent:      5/23/2012 12:25 PM
The following recipient(s) cannot be reached:
      them@cbs.com on 5/23/2012 12:26 PM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <exchange.abc.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.456.78.900] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft.com.>
Alan Hardisty

Read my article in my first comment - it gives you guidance on how to track down the offending account.

You will be Blacklisted on various Blacklisting sites.

Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
John Achille

ASKER
checked the blacklists and were not listed.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Alan Hardisty

Well according to your last post, you must be listed somewhere.  Not sure where, but the message is saying you are blacklisted.
John Achille

ASKER
then it well maybe with the actual receiving server that's blacklisting us. contacting the delist.forefront@messaging.microsoft.com for support.
John Achille

ASKER
as allways i learn from "The Alan"! Thank you!
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.