Solved

Exchange 2007 sending spam? Lots of DSN messages in queue

Posted on 2013-01-11
5
758 Views
Last Modified: 2014-05-13
Hello,

Let me start by saying I know there are a lot of posts out there about Exchange and Spam. I have spent the last 3 days searching the web for my issue and possible fixes and have applied what seem to fit as I'll note below.

My Setup/issue:

I have an Exchange 2007 sitting on a Windows 2003R2 x64 box. I noticed an issue a week or so ago as my Exchange IP got blacklisted. Originally, I thought it was just a fluke as I had a temp gap in antivirus coverage. So I loaded SEP, did full scans, came up with minor things, deleted them and moved on. With my new protection in place, I changed to another static IP in my range and though life was good. Nope, blacklisted within 24 hours. Although I will admit my non deliver messages have gone way down since I did a lot of work last night, it still doesn't seem right.

My Questions:

1) What else I should be doing to further trouble shoot this?
2) Is there a way, from the non-deliver message in the queue, that I can find and look at the original message to see where it is coming from?
3) Is the spam even coming from my Exchange server?
4) Could these still be non-deliver reports from previous spam messages before I did updates?
5) I invite any other suggestions


So, time to do some troubleshooting.......


Should note All Exchange services are on one box. I do not have a separate HUB Transport
Windows 2003r2 X64 - All updates are fully installed as of this morning.
Exchange 2007 - All service packs and updates loaded as of this morning
Exchange AntiSpam - Turned on and updated
Exchange Antispam - checked the box to reject message with no sender address
SMTP Test - Using MXToolbox, another website I can't recall, and windows telnet inside and outside the building - all report working.
Open Relay Test from outside firewall - Using MXToolbox, another website I can't recall, and windows telnet - all report no open relay
Open Relay test inside the firewall - Used telnet from another machine on the network and it did allow me to relay from a different connector limited to 5 IP's on my LAN. I disabled this connector just to make sure it wasn't an issue
Firewall - rule blocking port 25 from all machines except Exchange
Firewall - Separate rule blocking port 25 from Exchange. I go through the queue, delete all undeliverable reports, then open the firewall to release the messages, then close port 25 again. This has kept me off the spam lists, but is a pain. I should note I never see any messages that look like spam. Only messages sent by actual users with subjects that seem right for what we do and undeliverable messages with <> as sender.  
Full Virus Scan - I scanned all PC's and servers last nigh. didn't find any major issues.
Tried to use the message and logs to find messages sent to the person listed on the non-deliver. I admit I'm not that great at the shell, but I only came up with my non deliver report messages in my searches.

With none of this working, (still getting Non-deliver reports with send to address and subject clearly spam) I created a transport rule to bcc all sent mail (both to inside addresses and outside) to a mail box I setup. So far (it has been active for the last 2 hours) nothing that seems like spam has shown up.  Just to make sure I did it correct, here is my rule:

For Internal mail:
Apply rule to messages
sent to users inside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this

For External mail:
Apply rule to messages
sent to users outside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this

**** What's happening right now

As an example, I have 5 undeliverable messages in the queue in the last 2 hours (when I did the above rules) but not one message in my bcc box was sent to the address in the undeliverable messages. I have been watching the outbound queue slowly grow as I have typed this post. again, mostly undeliverable DSN messages and real emails.


Hope that is enough info, although I tried to list everything I can remember I did, I'm sure I forgot something.

Thanks in advance for your help.
0
Comment
Question by:Compuz
  • 3
5 Comments
 
LVL 19

Expert Comment

by:R--R
ID: 38767473
Did you enabled SMTP send/receive connector logs and check if the spam mails are received from any local machine/IP.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38767563
Changed any passwords?
If you have checked for open relay then it is probably authenticated relay. Logging on the connectors may well tell you which account is doing it, but as a precaution change the password for your "Administrator" account.

Simon.
0
 

Author Comment

by:Compuz
ID: 38767614
Thank you both for the quick response.

R-R

I did set the logs to verbose. But truthfully, I got lost looking at them. any decoding help would be appreciated. I opened them in Notepad, and it was all so jumbled it was hard to follow.

Sembee2

I did reset all password on the system.
0
 

Author Comment

by:Compuz
ID: 38770092
Just an update.

I loaded ORF Spam tool last night, great reporting. It is 100% coming from the outside. No inside virus.
0
 

Author Closing Comment

by:Compuz
ID: 40062773
Turned out one of our account passwords was hacked
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
exchange2007 4 20
Unified EndPoint Management 1 22
Office 365 Cutover Migration no report with passwords 9 20
need assistance with this powershell script 4 39
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now