• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

Spammers

We are running on Exchange 2007. This week, our exchange being attacked by spammers.Our exchange mail flow would be incoming/outgoing mail from/to internet will be pass thru Borderware anti-spam.

When the problem occured, our vendor detected that spam mail were being send from our Exchange Hub Transport server to Internet, they detected the Sender IP address 10.x.x.22 from the log I sent them. They asked me to search for actual source IP, so I did used the Exchange Message Tracking log and found out the the ClientIP address is 217.15.94.214 (external). Why was that? I do get the actual source IP address. Any tool available?

Please help.
Spammers.jpg
0
suriyaehnop
Asked:
suriyaehnop
  • 3
  • 2
3 Solutions
 
Exchange_GeekCommented:
Do you have any internal relay connectors?

You can block that IP address using Anti spam relay agents.

Check if your there is a breach in your firewall.

Regards,
Exchange_Geek
0
 
Exchange_GeekCommented:
Also, check if you are open to relay using mxtoolbox.com

Regards,
Exchange_Geek
0
 
lhademmorCommented:
Be aware that many 10.x.y.z addresses are "inside" addresses that are translated when view from the internet, thus the differences between the 2 addresses.
Using ping and arp, and some network tools gives You the physical address and the net tool the exact wall plug of the machine 10.x.x.22.
Net tools could be a switch management software or a FLUKE netmeter or equal.
Another way to find it in in a domain net is when knowing the machine name (out of ping and arp) do
> net sent (bad-pc) "please call me asap at 555-1234"
This will force a popup in many OS with that little message. If no one calls, do it in a loop an walk around to see what monitor has all Your messagers opening :-).
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
suriyaehnopAuthor Commented:
Exchange_Geek,

From the message trancking, the IP 217.15.94.217 was authenticated with non-default Received Connector. We created this connector for internal application to relay the email. This IP unable to block by anti-spam since the final Sender IP is Exchange Hub Transport. This was confirmed by vendors.

lhademmor,

10.x.x.22 is my Exchange Hun Transport server
0
 
Exchange_GeekCommented:
The non-default receive connector - is it bound by an IP Address OR is it open for relay?

Also, I'd run through the logs of the application to check if it was compromised or not.

Regards,
Exchange_Geek
0
 
suriyaehnopAuthor Commented:
Our network identified the Public IP addresse which has direct connec to our Exchange server. He did stop the smtp port 25
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now