• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 484
  • Last Modified:

Exchange 2003 relaying spam

Hi all,

Hoping someone can help.

I have a client who is running SBS 2003, every some often the server is sending SPAM, but the problem is that I have checked every computer on the network for virus nothing found. I have also checked the server for any open relays and don’t have any.

When I check the queue there are a large number of emails and under the sender it shows postmaster@domain.com or “various names@ domain name”.

Any help of hint is greatly appreciated.
0
rudym88
Asked:
rudym88
  • 7
  • 4
  • 3
  • +2
1 Solution
 
S_K_SCommented:
Maybe the ones that says Postmaster could be possibly related to Public folders. Is the recipient somewhat like Servername-IS@yourdomain.com.

Can you check and confirm please.

Regards,
SKS
0
 
rudym88Author Commented:
Thanks for the reply,


The recipient are various names. If I click on one of the messages on the queue under recipients below is what i get


Envelope Recipients:
SMTP:jjtb1974@yahoo.dk; SMTP:jjt@mek.dtu.dk; SMTP:jjtb-mfsvnjaauul@yahoo.com; SMTP:jjteiyrrt.lmaoh@ymail.com; SMTP:jjtacqu-uypsm@gmail.com; SMTP:jjteknik@jjteknik.dk; SMTP:jjt@amunordjylland.dk; SMTP:jjtcdmnb@live.com; SMTP:jjteb.unipqxts@hotmail.com;
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
S_K_SCommented:
What does the Sender show on the same window. Is it similar domain name used or any random email id used?
0
 
rudym88Author Commented:
Sender are either

"postmaster@mydomain.com" or various valid names@mydomain.com" or various valid names@various domains.com

ex: paypal, ebay, other
0
 
rudym88Author Commented:
also after monitor the traffic on the firewall i notice the SMTP connection was coming from one particual IP so i block the IP on the SMTP connector.
0
 
S_K_SCommented:
Perfect. Possibly that IP is the problem child. Since you have blocked it things should be fine. However kindly reconfirm if the Relay settings are set properly.

Regards,
SKS
0
 
Alan HardistyCommented:
You are most likely an Authenticated Relay which my article will help you to diagnose and resolve.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Basically someone out in the world has managed to brute force attack a username / password on your server and is now abusing your server.
0
 
rudym88Author Commented:
FYI.. Recipient filtering is enabled.
0
 
rudym88Author Commented:
Hi alan hardisty,

That’s what i originally suspected and for that reason i changed ALL the passwords with complexity , but the problem continued.

will go over your link now
0
 
Alan HardistyCommented:
If you changed the passwords - did you restart the SMTP Service which would force the spammer to re-authenticate (which they can't because you changed the password)?

Without restarting the service they will continue to use the old password as they are currently authenticated and then can continue to send spam.
0
 
David AtkinIT ProfessionalCommented:
Hello,

Has this been resolved since blocking the IP address?

Go to mxtoolbox.com and run an SMTP diag test.  This will tell you if your server can be used as an open relay without authentication.
0
 
rudym88Author Commented:
Alan,

The passwords were changed a few weeks back and the service was restarted but the problem continued.

After reading your article, I found an account for which the password was not changed.

After changing the password, I unblocked the IP, restarted the service, and restarted the firewall. But after a few minutes the queue began to get full again.

At this point I decided to disable the account.  I am happy to say it’s been 25 minutes and the queue is still clean.

Question: is there a way to check successful or unsuccessful login attempts to the SMTP server?

Thanks
RudyM
0
 
rudym88Author Commented:
Scorpeo;

I dont have any open relays.
0
 
Alan HardistyCommented:
Question: is there a way to check successful or unsuccessful login attempts to the SMTP server?

Yes - look in the Security Logs on the server.
0
 
David AtkinIT ProfessionalCommented:
The IP that you blocked, was it a local IP or an External?  Can you give us the IP?

If its an external IP then report the IP to their ISP - Alot of the time they do nothing but you never know.
If its an internal IP then you will need to find the PC and run virus scans on it.

If the password change didn't stop the spam and neither did disabling the account then its not using that user account.
0
 
S_K_SCommented:
Check if you can find anything on the NCSA Logs under SMTP Virtual Server
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 7
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now