[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1006
  • Last Modified:

MY ISP called and said that we are sending out SPAM

my ISP called me and said that they are blocking spam from us , how can I find out were the spam is coming from , there is not any anti virus on the exchange 2007 server , so i am think that would be the best thing to do , right away '

any suggestions
?
0
NAMEWITHELD12
Asked:
NAMEWITHELD12
  • 8
  • 7
  • 4
  • +5
17 Solutions
 
Alan HardistyCommented:
Firstly - make sure that port 25 outbound is blocked for ALL internal IP Addresses apart from your Exchange 2007 server.  That should hopefully resolve the issue.

Then you just need to find your infected PC and clean it up.

Alan
0
 
JasonDuncanworksCommented:
One of the accounts on your server has probably been compromised. You can have everyone change their password. I also recommend a service call Appriver, they will filter your incoming email and also you can configure your server to only accept email from them and not spam bots.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Ask them to look at some of the messages' headers so you can see exactly what is going on.  That should give you some clue.  The next thing I would do is check your blacklist status so you can see where you will have to go to request a delist.  Use this tool:  http://mxtoolbox.com/blacklists.aspx

Since Exchange 2007 and up by default is not an open relay (too many problems with 2003) I would follow the advice on these 3 links:

http://forums.msexchange.org/m_1800517170/mpage_1/key_/tm.htm#1800517280
http://blogs.technet.com/b/exchange/archive/2006/11/17/3397307.aspx
http://blogs.technet.com/b/exchange/archive/2006/12/28/3397620.aspx

Lastly, if it is still a problem, perhaps a user in your organization's account has been compromised and a full password reset domain wide wouldn't hurt.  That one is up to you but I might think about it, and also think about enforcing strong passwords.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Alan HardistyCommented:
"One of the accounts on your server has probably been compromised" - Very unlikely on an Exchange 2007 / 2010 server.  Guaranteed to be possible with Exchange 2003, but I have never seen it with 2007/2010 (yet).
0
 
Jack DCommented:
I have been through this before and even been blacklisted. MAJOR hassle to get unlisted. I don't think it is your Exchange server but more likely you have an infect PC on your network. Read post #1 and block all port 25 traffic outbound except for your Exchange server.

Second, if you have a way to do port forwarding (or whatever works in your setup) you want to send all of your outgoing traffic to a port that you can setup packet sniffing on. Then filter by SMTP and see what IP address appears besides your exchange server. Only your exchange should be sending SMTP traffic.

My guess is that you have a zombie PC somewhere that's infected.
0
 
GanparCommented:
Well spam mails generally come from spoof mails. Which domain doesn't exist, Use queue viewer and check whether sender id is valid. Try "verify-email.org" site to test sender email.

Please check

http://exchangepedia.com/2008/09/how-to-prevent-annoying-spam-from-your-own-domain.html

http://www.msexchange.org/articles_tutorials/exchange-server-2007/security-message-hygiene/exchange-server-2007-spam-filtering-features-without-using-exchange-server-2007-edge-server.html
0
 
TazDevil1674Commented:
Have you got SPF records set up for your Domain Name - this will limit the possibility of people spamming from outside your network and trying to make it look like its from inside...

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

There are a few sites with FREE wizards to create working SPF records...
0
 
Alan HardistyCommented:
There is a difference between NDR spam and Spam which your ISP would call you about (they won't call you about NDR spam).

SPF records won't help you if your network is sending out spam (not NDR spam).
0
 
NAMEWITHELD12Author Commented:
wow
thanks for all the quick info

I am going to make sure that port 25 is blocked and then find the PC that is infected

then i will look at some of the other solutions !


thanks !
0
 
TazDevil1674Commented:
@alanhardisty - true but if Blacklisted may need to ensure SPF records are added before being de-listed again...
0
 
Alan HardistyCommented:
How does an SPF record help with blacklisting exactly?
0
 
NAMEWITHELD12Author Commented:
thanks again for all the help , I am learning alot and really appreciate it.


one thing that someone said here is we can user WIRESHARK to see where it is coming from
0
 
Alan HardistyCommented:
You can - if you can decipher the output readily.

Your firewall (if it can log) should also be capable of showing you where the source is if you enable logging for port 25 being blocked as an infected machine should pop up very quickly.
0
 
TazDevil1674Commented:
@ alanhardisty - the previous company I worked for got blacklisted on multiple occasions.  once we had identified the source of the internal SPAMing, we got de-listed; next time we got told they wouldn't de-list us until SPF records where created to limit chances of SPAMing.  We then got de-listed again due to external SPAMing on a Domain we had purchased recently and again got asked to have SPF records in place before de-listing was done.
0
 
Alan HardistyCommented:
Okay - so that is someone else telling you that you need SPF because of an internal spam problem, but that doesn't follow if you know what SPF does and what spammers do.

It is highly unlikely that a spammer will send out mail from the domain of the server / PC that they compromised, so SPF isn't going to help anything at all.  If a spammer manages to control a PC, they will be sending out spam as any variety of domain names, and the choices are endless.

SPF is useful for helping legitimate mail arrive properly and also helpful for making sure that mail that is spoofed (claiming to come from your domain) doesn't get accepted because it comes from an IP Address / Mail Server that hasn't been authorised to send mail on behalf of your domain.

SPF only advertises the mail servers / IP Addresses that are allowed to send mail on behalf of your domain, so in this instance, adding an SPF record (whilst good practise), isn't going to help resolve the problem.

Even if the spammer picked the companies domain name to send out the spam, the SPF record would most likely include the IP address of the company anyway, so technically the SPF check would pass and the spam would be accepted.
0
 
TazDevil1674Commented:
@alanhardisty - I didnt say he HAD to do it; I suggested he may need to do it if the Blacklist Company wants to be cautious

I offered advice as requested and added my own events that may or may not be required...
0
 
Alan HardistyCommented:
I understand that - I am suggesting that it won't be remotely helpful unless a particular set of circumstances are met, which is highly unlikely.

Also - Blacklist companies are faceless and only operate via their websites and I've yet to come across one that cares about SPF.

Blacklisting happens as a result of an email hitting a Honeypot on the Blacklisting companies server.  Delisting will occur if requested (on some sites) and automatically on other sites after no more spam is received.

We can all offer advice to a problem - some may be relevant to the problem and some may not.  In this case I am suggesting that your advice is not going to be relevant to the solution.  Sorry.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
@Alan - blacklist companies MAY not care about SPF, but certain large corporations defintely do, such as Google/Gmail and they specifically instruct you to add SPF records in the event of blacklisting, or in the event of being used as an open relay.  I do think Taz's advice is both warranted and relevant.

Now to the original poster, are we getting you any further towards resolution?
0
 
Alan HardistyCommented:
@xBouchardx - I'm not debating the relevance of SPF in general - I'm debating the relevance of SPF when it comes to being called by your ISP as a result of sending spam.

If you disagree - please explain why you disagree and backup your statement with some facts not personal opinion that is relevant to helping solve the problem.  Links to Google/Gmail's recommendations to add SPF records when Blacklisted are also welcome.

@NAMEWITHELD12 - Another thing to check to make sure you are not an Open Relay - which you won't be by default with Exchange 2007 unless you have messed up your Receive Connectors.  You can check this on www.checkor.com.
0
 
NAMEWITHELD12Author Commented:
: xBouchardx

thanks for all the help , the only person who has access to the firewall is not available right now , so the next best thing that i could think of is wireshark , so wireshark has been configured to look at the 6506 cisco port attached to the ASA firewall , I have filtered the wireshark to display only port 25 (i think ) and what i can see is traffic outbound on port 25 from my exchange server and my websence server , now as far as i can tell the websence server is only for inbound mail and should not be sending anything out ?


am I missing something here ?

is the websence server infected it has no AV on it ?


thanks
Capture-89.PNG
0
 
NAMEWITHELD12Author Commented:
one thing I was thinking was to shut off all the websense services and see if there is still traffic from this server
0
 
NAMEWITHELD12Author Commented:
this is the wireshark data sorted to show only port 25 ( in the green) and sorted by size

it seems that this spam is comming from the websense filter .30
wireshark-Capture.PNG
0
 
Brad BouchardInformation Systems Security OfficerCommented:
I would shut that server off if you can, or at least unplug it from the network.  Also, if you do that and the spam stops and everything is fine then you can almost certainly guess that that is your culprit.  I would highly recommend installing AV on that machine though.
0
 
Nathan KaufmanCommented:
One thing I would recommend is get better security. This can be in the form of a firewall like Dell SonicWall, and use a Server based distribution of Antivirus/Firewall software, like Symantec or Vipre.  Make sure all your Servers and Workstations have the latest patches from Microsoft as well as third parties like Jave, Flash, and Adobe Reader.  Most attacks come from third parties, so it's important to keep those up to date.  You can use a program like Ninite Pro to keep the third party stuff updated and WSUS for the Servers and Workstations.

http://www.sonicwall.com/us/en/products/TZ_215.html#tab=overview
https://ninite.com/pro
http://www.gfi.com/business-antivirus-software#overview
0
 
NAMEWITHELD12Author Commented:
well this is what happend , the websense email filer has ADP.COM added to the whitelist and thereby circumvented any and all anti-spoofing configs, I removed ADP.COM from the whitelist and all is ok
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Awesome, glad we could help you at least come to that point.
0
 
NAMEWITHELD12Author Commented:
added a PTR record for the mail also
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 8
  • 7
  • 4
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now