[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Exchange 2003 SPAM

Posted on 2012-08-13
36
Medium Priority
?
601 Views
Last Modified: 2012-09-13
We have an internal exchange 2003 server. Last week we started seeing a lot of SPAM emails showing up in out vsi1/queue folder. When clicking on these messages they are obvious SPAM messages.

What's the easiest way for me to track down where these are coming from?
0
Comment
Question by:dak11
  • 12
  • 12
  • 9
  • +1
35 Comments
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38287807
Check for the message header for these emails.

copy paste xml files from the queue folder on to a notepad and you'd see the connecting IP Address.

To resolve these sort of issues, check if you are open for relay or not using link

Also, you could curb SPAM by using IMF using link

Regards,
Exchange_Geek
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 38287882
Depends on what the spam looks like.

 If they are NDR's then this should help:
http://support.microsoft.com/kb/886208

If they appear to be actual spam messages then you may be part of an authenticated relay attack. Check to see if it is an open relay and if it isn't then check for an authenticated attack.

http://support.microsoft.com/kb/324958
0
 

Author Comment

by:dak11
ID: 38287900
Geek,

No relay open using the link above.

I'm not an expert at Exchange by any stretch. there are no .xml files in the queue folder, only eml files. Here's one of the files in the queue..

Received: from User ([146.0.74.105]) by exchange.xxx.intranet with Microsoft SMTPSVC(6.0.3790.4675);
       Sat, 11 Aug 2012 16:58:23 -0400
From: "Facebook Award Team"<info@awardteam.com>
Subject: WINNER
Date: Sat, 11 Aug 2012 13:08:13 -0700
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: info@awardteam.com
Message-ID: <EXCHANGEqdiixjnzi9500000136@exchange.xxx.intranet>
X-OriginalArrivalTime: 11 Aug 2012 20:58:23.0623 (UTC) FILETIME=[0BC45170:01CD7804]

Congratulation your FACEBOOK ACCOUNT have won 500.000.00GBP pounds in the ongoing FACEBOOK PROMO 8TH ANNIVERSARY. Please contact claims officer Mr. Clement Larry on Email: clementlarry@facebooklottery-uk.tk for more details with your
Reference Number 10 12 41 51 11. Sincerely, Mrs. Tracy Duke. Copyright © 2012 FACEBOOK winnings Inc. Congratulations once more from all members and staffs of this program.Bookmark. Copyright © 1992-2012 FACE BOOK.Com All rights reserved.

** A lot of these seems to be coming from IP 146.0.74.105. Is there a way to block that IP address?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 38287950
Please have a look at my article and see if either scenario are relevant:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

You look like you might be an authenticated relay!!

Alan
0
 
LVL 33

Assisted Solution

by:Exchange_Geek
Exchange_Geek earned 1000 total points
ID: 38287957
Yes, you can block it - use the following steps.

Start Exchange System Manager.
Expand Global Settings, right-click Message Delivery, and then click Properties.
Click the Connection Filtering tab.

To deny delivery based on the IP address of the sending mail server,
On the Connection Filtering tab, click Deny, and then click Add.
Click Single IP Address to add one IP address, or click Group of IP Addresses to add a whole subnet.

Start Exchange System Manager.
Expand Servers, expand Server Name, expand Protocols, and then expand SMTP.
Right-click the SMTP virtual server where you want to apply the filter, and then click Properties.
On the General tab, click Advanced.
Click the IP address that you want to apply the filter to, and then click Edit.
In the Identification dialog box, click to select either the Apply Connection Filter

Restart SMTP Virtual Server OR Service.

Regards,
Exchange_Geek
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38287967
If it is an authenticated Relay - the IP Address will change and change quickly.  Blocking by IP Address is not a solution unless the IP remains the same, which I would very much doubt.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288095
Well - if you sent one - it doesn't seem to have found it's way to my server yet!  So it looks like it isn't making it out of your network.

Please try to telnet to my server from a command prompt (once you have installed telnet):

telnet 188.220.xxx.xxx 25

Alan
0
 

Author Comment

by:dak11
ID: 38288280
Alan,

Tried the telnet and could not open connection to host.

Currently set the logging higher and cleaning up my queues
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288290
Sorry - posted that in the wrong question!  Please see my earlier comment.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38288298
Telnet to your Exchange server never responded on port 25?

Regards,
Exchange_Geek
0
 
LVL 10

Expert Comment

by:pclinuxguru
ID: 38288335
Authenticated relays are a pain. You basically have to turn up the logging level of SMTP (if I remember correctly) and sort through the logs looking for a username. Alan's article is very helpful. I think when I ran into it in the spring that is what I used.

In my case an old administrator created an account called backup with a password of backup. No mailbox on exchange but because it was technically an AD User it was allowed to send emails.

In the end the account was deleted and a full AD User audit was perfformed and only actual users were allowed to "relay" and all the service accounts were set to deny even though the passwords are complex.
0
 

Author Comment

by:dak11
ID: 38288369
Geek,

That was to Alan's IP. I can telnet jsut fine.

Found a user who was getting 1708 events in app log after raising the settings. I changed that users password. Hope that was the culprit.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38288389
Also, ensure you block the connecting IP using the settings I gave you. Would help you to secure your server for future attacks.

Regards,
Exchange_Geek
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288398
Don't forget to restart the SMTP service.
0
 

Author Comment

by:dak11
ID: 38288613
OK. SPAM seems to not be in my queue any more but now my server will not send any emails.

Tried a few test emails to my personal hotmail and gmail accounts and they just sit in the exchange queue and never go out.

Emails were being sent earlier today but now they are not.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288623
Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org - you will be blacklisted on several sites I would suspect and will have to manually request delisting from the sites that will let you and wait for the others to delist you whenever they feel like it (sometimes a month).

Check with your ISP to make sure they haven't blocked port 25 outbound for you as a security measure as a result of the spam.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38288642
Makes sense by Alan, to check if your domain is blacklisted or not. If it isn't use the following steps to clear your Queues.

Stop SMTP Service.
Go down to vsi1 folder under Exchange Installation Drive.
Rename Queue folder to Queue1
Create a new folder called Queue (similar to the name that was renamed)
Restart SMTP Service.

Try sending few emails across and check if it goes through.

Regards,
Exchange_Geek
0
 

Author Comment

by:dak11
ID: 38288680
Geek,

The messages are not specifically in the queue folder under vsi1.

If I go into ESM, under my exchange server, queues they are there.

I got an email via gmail but the hotmail one's are still there. One in a retry state and the others queued.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288698
Hotmail will need a manual unblock by visiting their website and filling in a form.  As soon as they sniff spam coming from your server - you will get blocked and have to request that they unblock you.  They don't rely on the IP Address Blacklists!

It will take some time for mail-flow to return to normal.

For now - you can create a new SMTP Connector, scope it for the problem domains only and configure the connector to use your ISP's Smarthost to send the emails out until the blacklisting has gone away.

For details of how to do this, please read:

http://support.microsoft.com/kb/265293
or
http://www.msexchange.org/tutorials/configuring-smtp-connector.html
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38288713
I never got to read your response on Alans post

"Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org - you will be blacklisted on several sites"

Are you on those blacklisted sites?

Regards,
Exchange_Geek
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288720
Guaranteed to be on several I would imagine.
0
 

Author Comment

by:dak11
ID: 38288727
mxtoolbox all OK.

blacklistalert all OK except l2.apews.org. I'm working on removing us from that one.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38288729
Some further reading for you:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

and

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last one will prevent the problem from ever happening again, but will stop external SMTP authenticated access to your server should you happen to have users using SMTP/POP3 externally, which I hope you haven't got!
0
 

Author Comment

by:dak11
ID: 38289008
Thanks guys. Not seeing any more SPAM but I do have 1 more issue which I'm not sure if it's related or not.

Since changing that users password and adding the 2 main IP's where the SPAM seemed to be originating from in the SMTP virtual server - access - connection tab (all expect those 2 addresses). I now have some domains which are getting SMTP error messages in the ESM queues.

For Yahoo.com I'm getting additional information of - the connection was dropped by the remote host

For hotmail.com I'm getting - An SMTP protocol error occurred.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38289026
Try removing those IP Addresses one-by-one and restart SMTP Virtual Server and check if this was caused by it.

BTW Connection dropped by remote host wouldn't be caused by your blocking incoming IP at all.

Regards,
Exchange_Geek
0
 

Author Comment

by:dak11
ID: 38289093
No dice Geek.

Still getting An SMTP protocol error occurred for Hotmail.com and dropped by remote host for Yahoo.com

Thanks for the help by the way.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38289118
Increase SMTP Logging on SMTP Service and perform retry for those messages on hotmail queue.

Also, check if your DNS is working fine - see if hotmail MX records responds to your telnet requests.

Regards,
Exchange_Geek
0
 

Author Comment

by:dak11
ID: 38289272
Looks like we might be blocked at those sites. Tried telnetting to their sites and get warnings about bulk emails.

I'm contacting them both about it and will work my way through the problem domains 1 at a time I guess.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38289290
Bang on

Regards,
Exchange_Geek
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38289343
If you refer to my earlier comment http:#a38288698, that comment will apply to any domains blocking you and provides a temporary fix.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38394567
With the greatest of respect - how is the selected answer even remotely relevant to the question?

Alan
0
 

Author Comment

by:dak11
ID: 38394581
Sorry Alan,

Clicked on the wrong name in my haste.

I'll email support and have it changed. Should have been split up between the both of you.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38394587
I can re-open the question if you like.

Alan
0
 

Author Comment

by:dak11
ID: 38394614
Sounds good. You both were a big help.
0
 

Author Closing Comment

by:dak11
ID: 38394655
Thanks guys.

Between the both of you I was able to track down the problem and fix.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question