how do I track down spam offender?

ID10Tz
ID10Tz used Ask the Experts™
on
recently we have had a high rate of spam. I am not sure how to track it down from the exchange server to offending workstation. we have now lost access to our relay host because of this. any help would be beneficial.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Co-Owner
Top Expert 2011
Commented:
You may be an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Alan

Author

Commented:
the only protocol Im using is HTTP/SMTP. 12 users are using RPC-over https and 105 using OWA. Would disabling that affect my OWA users?

Author

Commented:
also I am extremely concerned about this happening again. How do I insure this is the actual issue?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Alan HardistyCo-Owner
Top Expert 2011

Commented:
No - not at all.  If you disable Integrated Windows and Basic Authentication on your SMTP Virtual Server, you are stopping spammers from sending usernames and passwords to your server to access your server to relay off.

OWA and RPC uses HTTPS, so a totally different way of communicating.

It is possible that you have an infected computer remotely using RPC over HTTPS and that this is sending spam to your server to relay, but this is not as common as a hacker brute force attacking your server and finding a weak password.

Author

Commented:
disabling for delivery or authentication?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Authentication.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Make sure you restart the Simple Mail Transfer Protocol Service afterwards.

Author

Commented:
should I clean out the quese or will exchange do it for me?

Author

Commented:
queue's I meant
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Exchange will try to keep sending.

Download the attached and use the tool to clear the queues.

Rename the attached to a .exe file (can't attach an exe file in EE).

Guidance on how to use it can be found here:

http://community.spiceworks.com/how_to/show/267

But the link no longer works
aqadmcli.txt

Author

Commented:
how would I explain this to a non-tech? Reason why I ask is that originally I thought it was a polluted workstation which I understand completely, but how would a RPC-https user be exploited by a hacker?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
If a virus gets onto their computer and starts sending out emails using Outlook, then if they are connected via RPC over HTTPS, the email will get sent to your server and thus out from your server.  This is very uncommon, but not impossible.  I have known personally of one instance where this happened to a customer of mine.

It isn't a hacker exploiting RPC over HTTPS, but simply an infected computer not using its own SMTP Engine.

Author

Commented:
Im sorry I meant Your comment: ID: 38002168 may be an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam) & how can I track it down?

Author

Commented:
Now we have one user getting:

Your message did not reach some or all of the intended recipients.
      Subject:      Re: Follow Up
      Sent:      5/23/2012 12:25 PM
The following recipient(s) cannot be reached:
      them@cbs.com on 5/23/2012 12:26 PM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <exchange.abc.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.456.78.900] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft.com.>
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Read my article in my first comment - it gives you guidance on how to track down the offending account.

You will be Blacklisted on various Blacklisting sites.

Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org

Author

Commented:
checked the blacklists and were not listed.
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Well according to your last post, you must be listed somewhere.  Not sure where, but the message is saying you are blacklisted.

Author

Commented:
then it well maybe with the actual receiving server that's blacklisting us. contacting the delist.forefront@messaging.microsoft.com for support.

Author

Commented:
as allways i learn from "The Alan"! Thank you!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial