We help IT Professionals succeed at work.

Exchange 2003 SPAM

dak11
dak11 asked
on
We have an internal exchange 2003 server. Last week we started seeing a lot of SPAM emails showing up in out vsi1/queue folder. When clicking on these messages they are obvious SPAM messages.

What's the easiest way for me to track down where these are coming from?
Comment
Watch Question

Check for the message header for these emails.

copy paste xml files from the queue folder on to a notepad and you'd see the connecting IP Address.

To resolve these sort of issues, check if you are open for relay or not using link

Also, you could curb SPAM by using IMF using link

Regards,
Exchange_Geek
Depends on what the spam looks like.

 If they are NDR's then this should help:
http://support.microsoft.com/kb/886208

If they appear to be actual spam messages then you may be part of an authenticated relay attack. Check to see if it is an open relay and if it isn't then check for an authenticated attack.

http://support.microsoft.com/kb/324958

Author

Commented:
Geek,

No relay open using the link above.

I'm not an expert at Exchange by any stretch. there are no .xml files in the queue folder, only eml files. Here's one of the files in the queue..

Received: from User ([146.0.74.105]) by exchange.xxx.intranet with Microsoft SMTPSVC(6.0.3790.4675);
       Sat, 11 Aug 2012 16:58:23 -0400
From: "Facebook Award Team"<info@awardteam.com>
Subject: WINNER
Date: Sat, 11 Aug 2012 13:08:13 -0700
MIME-Version: 1.0
Content-Type: text/plain;
      charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: info@awardteam.com
Message-ID: <EXCHANGEqdiixjnzi9500000136@exchange.xxx.intranet>
X-OriginalArrivalTime: 11 Aug 2012 20:58:23.0623 (UTC) FILETIME=[0BC45170:01CD7804]

Congratulation your FACEBOOK ACCOUNT have won 500.000.00GBP pounds in the ongoing FACEBOOK PROMO 8TH ANNIVERSARY. Please contact claims officer Mr. Clement Larry on Email: clementlarry@facebooklottery-uk.tk for more details with your
Reference Number 10 12 41 51 11. Sincerely, Mrs. Tracy Duke. Copyright © 2012 FACEBOOK winnings Inc. Congratulations once more from all members and staffs of this program.Bookmark. Copyright © 1992-2012 FACE BOOK.Com All rights reserved.

** A lot of these seems to be coming from IP 146.0.74.105. Is there a way to block that IP address?
Co-Owner
CERTIFIED EXPERT
Top Expert 2011
Commented:
Please have a look at my article and see if either scenario are relevant:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

You look like you might be an authenticated relay!!

Alan
Yes, you can block it - use the following steps.

Start Exchange System Manager.
Expand Global Settings, right-click Message Delivery, and then click Properties.
Click the Connection Filtering tab.

To deny delivery based on the IP address of the sending mail server,
On the Connection Filtering tab, click Deny, and then click Add.
Click Single IP Address to add one IP address, or click Group of IP Addresses to add a whole subnet.

Start Exchange System Manager.
Expand Servers, expand Server Name, expand Protocols, and then expand SMTP.
Right-click the SMTP virtual server where you want to apply the filter, and then click Properties.
On the General tab, click Advanced.
Click the IP address that you want to apply the filter to, and then click Edit.
In the Identification dialog box, click to select either the Apply Connection Filter

Restart SMTP Virtual Server OR Service.

Regards,
Exchange_Geek
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
If it is an authenticated Relay - the IP Address will change and change quickly.  Blocking by IP Address is not a solution unless the IP remains the same, which I would very much doubt.

Alan
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Well - if you sent one - it doesn't seem to have found it's way to my server yet!  So it looks like it isn't making it out of your network.

Please try to telnet to my server from a command prompt (once you have installed telnet):

telnet 188.220.xxx.xxx 25

Alan

Author

Commented:
Alan,

Tried the telnet and could not open connection to host.

Currently set the logging higher and cleaning up my queues
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Sorry - posted that in the wrong question!  Please see my earlier comment.
Telnet to your Exchange server never responded on port 25?

Regards,
Exchange_Geek
Authenticated relays are a pain. You basically have to turn up the logging level of SMTP (if I remember correctly) and sort through the logs looking for a username. Alan's article is very helpful. I think when I ran into it in the spring that is what I used.

In my case an old administrator created an account called backup with a password of backup. No mailbox on exchange but because it was technically an AD User it was allowed to send emails.

In the end the account was deleted and a full AD User audit was perfformed and only actual users were allowed to "relay" and all the service accounts were set to deny even though the passwords are complex.

Author

Commented:
Geek,

That was to Alan's IP. I can telnet jsut fine.

Found a user who was getting 1708 events in app log after raising the settings. I changed that users password. Hope that was the culprit.
Also, ensure you block the connecting IP using the settings I gave you. Would help you to secure your server for future attacks.

Regards,
Exchange_Geek
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Don't forget to restart the SMTP service.

Author

Commented:
OK. SPAM seems to not be in my queue any more but now my server will not send any emails.

Tried a few test emails to my personal hotmail and gmail accounts and they just sit in the exchange queue and never go out.

Emails were being sent earlier today but now they are not.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org - you will be blacklisted on several sites I would suspect and will have to manually request delisting from the sites that will let you and wait for the others to delist you whenever they feel like it (sometimes a month).

Check with your ISP to make sure they haven't blocked port 25 outbound for you as a security measure as a result of the spam.
Makes sense by Alan, to check if your domain is blacklisted or not. If it isn't use the following steps to clear your Queues.

Stop SMTP Service.
Go down to vsi1 folder under Exchange Installation Drive.
Rename Queue folder to Queue1
Create a new folder called Queue (similar to the name that was renamed)
Restart SMTP Service.

Try sending few emails across and check if it goes through.

Regards,
Exchange_Geek

Author

Commented:
Geek,

The messages are not specifically in the queue folder under vsi1.

If I go into ESM, under my exchange server, queues they are there.

I got an email via gmail but the hotmail one's are still there. One in a retry state and the others queued.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Hotmail will need a manual unblock by visiting their website and filling in a form.  As soon as they sniff spam coming from your server - you will get blocked and have to request that they unblock you.  They don't rely on the IP Address Blacklists!

It will take some time for mail-flow to return to normal.

For now - you can create a new SMTP Connector, scope it for the problem domains only and configure the connector to use your ISP's Smarthost to send the emails out until the blacklisting has gone away.

For details of how to do this, please read:

http://support.microsoft.com/kb/265293
or
http://www.msexchange.org/tutorials/configuring-smtp-connector.html
I never got to read your response on Alans post

"Check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org - you will be blacklisted on several sites"

Are you on those blacklisted sites?

Regards,
Exchange_Geek
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Guaranteed to be on several I would imagine.

Author

Commented:
mxtoolbox all OK.

blacklistalert all OK except l2.apews.org. I'm working on removing us from that one.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Some further reading for you:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

and

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last one will prevent the problem from ever happening again, but will stop external SMTP authenticated access to your server should you happen to have users using SMTP/POP3 externally, which I hope you haven't got!

Author

Commented:
Thanks guys. Not seeing any more SPAM but I do have 1 more issue which I'm not sure if it's related or not.

Since changing that users password and adding the 2 main IP's where the SPAM seemed to be originating from in the SMTP virtual server - access - connection tab (all expect those 2 addresses). I now have some domains which are getting SMTP error messages in the ESM queues.

For Yahoo.com I'm getting additional information of - the connection was dropped by the remote host

For hotmail.com I'm getting - An SMTP protocol error occurred.
Try removing those IP Addresses one-by-one and restart SMTP Virtual Server and check if this was caused by it.

BTW Connection dropped by remote host wouldn't be caused by your blocking incoming IP at all.

Regards,
Exchange_Geek

Author

Commented:
No dice Geek.

Still getting An SMTP protocol error occurred for Hotmail.com and dropped by remote host for Yahoo.com

Thanks for the help by the way.
Increase SMTP Logging on SMTP Service and perform retry for those messages on hotmail queue.

Also, check if your DNS is working fine - see if hotmail MX records responds to your telnet requests.

Regards,
Exchange_Geek

Author

Commented:
Looks like we might be blocked at those sites. Tried telnetting to their sites and get warnings about bulk emails.

I'm contacting them both about it and will work my way through the problem domains 1 at a time I guess.
Bang on

Regards,
Exchange_Geek
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
If you refer to my earlier comment http:#a38288698, that comment will apply to any domains blocking you and provides a temporary fix.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
With the greatest of respect - how is the selected answer even remotely relevant to the question?

Alan

Author

Commented:
Sorry Alan,

Clicked on the wrong name in my haste.

I'll email support and have it changed. Should have been split up between the both of you.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
I can re-open the question if you like.

Alan

Author

Commented:
Sounds good. You both were a big help.

Author

Commented:
Thanks guys.

Between the both of you I was able to track down the problem and fix.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.