Link to home
Create AccountLog in
Avatar of Axis52401
Axis52401Flag for United States of America

asked on

Outgoing Spam Email

I have a client using Exchange 2003 with about 20 users. They use a Spam filter service for both incoming and outgoing email. The past few days there have been some outgoing Spam emails but only at night. (Attached is there report from the Spam filter) I've seen viruses that send out Spam and even some that are timed to go off at night to avoid detection but with those it's usually hundreds or thousands of emails and it slows down the infected PC so so its easy to find the cause. With this its about 55. The report just shows they came from our Public IP so is there any internal way of narrowing down which station is the cause of the problem without additional hardware or expensive software.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Can your Outbound Spam Filter show you the email headers?  That should show you which computer (internal IP) they came from.

Does your inbound SMTP Virtual Server only allow your Spam Filter to connect to it or is it open to the world?  I would expect the former.

That attachment wasn't helpful to figure out the problem. You can attach a full header of a spam e-mail so it can be traced.
Avatar of Axis52401


The Spam filter is offsite, A service we route incoming and outgoing email through so their logs only shows it came from our Public Ip address. Yes I have the relay settings restricted so only the spam filter and internal stations can connect.
Okay - can your firewall log traffic outbound to port 25 destinations?

Does it only allow mail out from your server or are all internal IP's allowed out on port 25?
No its a Cisco WRVS4400N and doesn't have that type of logging capability. I do have it configured to only allow port 25 out from the Mail server's IP and the fact that these messages even register on the Spam filters logs tells me its at least relaying internally from the mail server. If they went straight out to the Internet they wouldn't be detected by it.
Okay - if only your server is allowed out on port 25, then it has to be your server sending them.

Do you have an example of the type of spam?
No, just the report I attached with the numbers. I don't have any of the actual Spam messages in an email account.
Well - if you only allow mail in from the Spam Filter company, then it isn't (shouldn't) be an external account being abused and if it is coming from your server, only in a limited quantity, I would question the actual report and ask to see the spam as I would doubt it is anything to lose sleep over.
Yea I'm not too worried, the client gets the report too and is more paranoid about it then me. I'm just trying to find an answer for them. I'll see if I can get more email detail from the spam filter service.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account