Link to home
Create AccountLog in
Avatar of John Achille
John AchilleFlag for United States of America

asked on

how do I track down spam offender?

recently we have had a high rate of spam. I am not sure how to track it down from the exchange server to offending workstation. we have now lost access to our relay host because of this. any help would be beneficial.
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of John Achille

ASKER

the only protocol Im using is HTTP/SMTP. 12 users are using RPC-over https and 105 using OWA. Would disabling that affect my OWA users?
also I am extremely concerned about this happening again. How do I insure this is the actual issue?
No - not at all.  If you disable Integrated Windows and Basic Authentication on your SMTP Virtual Server, you are stopping spammers from sending usernames and passwords to your server to access your server to relay off.

OWA and RPC uses HTTPS, so a totally different way of communicating.

It is possible that you have an infected computer remotely using RPC over HTTPS and that this is sending spam to your server to relay, but this is not as common as a hacker brute force attacking your server and finding a weak password.
disabling for delivery or authentication?
Authentication.
Make sure you restart the Simple Mail Transfer Protocol Service afterwards.
should I clean out the quese or will exchange do it for me?
queue's I meant
Exchange will try to keep sending.

Download the attached and use the tool to clear the queues.

Rename the attached to a .exe file (can't attach an exe file in EE).

Guidance on how to use it can be found here:

http://community.spiceworks.com/how_to/show/267

But the link no longer works
aqadmcli.txt
how would I explain this to a non-tech? Reason why I ask is that originally I thought it was a polluted workstation which I understand completely, but how would a RPC-https user be exploited by a hacker?
If a virus gets onto their computer and starts sending out emails using Outlook, then if they are connected via RPC over HTTPS, the email will get sent to your server and thus out from your server.  This is very uncommon, but not impossible.  I have known personally of one instance where this happened to a customer of mine.

It isn't a hacker exploiting RPC over HTTPS, but simply an infected computer not using its own SMTP Engine.
Im sorry I meant Your comment: ID: 38002168 may be an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam) & how can I track it down?
Now we have one user getting:

Your message did not reach some or all of the intended recipients.
      Subject:      Re: Follow Up
      Sent:      5/23/2012 12:25 PM
The following recipient(s) cannot be reached:
      them@cbs.com on 5/23/2012 12:26 PM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <exchange.abc.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.456.78.900] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft.com.>
Read my article in my first comment - it gives you guidance on how to track down the offending account.

You will be Blacklisted on various Blacklisting sites.

Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
checked the blacklists and were not listed.
Well according to your last post, you must be listed somewhere.  Not sure where, but the message is saying you are blacklisted.
then it well maybe with the actual receiving server that's blacklisting us. contacting the delist.forefront@messaging.microsoft.com for support.
as allways i learn from "The Alan"! Thank you!