Compuz
asked on
Exchange 2007 sending spam? Lots of DSN messages in queue
Hello,
Let me start by saying I know there are a lot of posts out there about Exchange and Spam. I have spent the last 3 days searching the web for my issue and possible fixes and have applied what seem to fit as I'll note below.
My Setup/issue:
I have an Exchange 2007 sitting on a Windows 2003R2 x64 box. I noticed an issue a week or so ago as my Exchange IP got blacklisted. Originally, I thought it was just a fluke as I had a temp gap in antivirus coverage. So I loaded SEP, did full scans, came up with minor things, deleted them and moved on. With my new protection in place, I changed to another static IP in my range and though life was good. Nope, blacklisted within 24 hours. Although I will admit my non deliver messages have gone way down since I did a lot of work last night, it still doesn't seem right.
My Questions:
1) What else I should be doing to further trouble shoot this?
2) Is there a way, from the non-deliver message in the queue, that I can find and look at the original message to see where it is coming from?
3) Is the spam even coming from my Exchange server?
4) Could these still be non-deliver reports from previous spam messages before I did updates?
5) I invite any other suggestions
So, time to do some troubleshooting.......
Should note All Exchange services are on one box. I do not have a separate HUB Transport
Windows 2003r2 X64 - All updates are fully installed as of this morning.
Exchange 2007 - All service packs and updates loaded as of this morning
Exchange AntiSpam - Turned on and updated
Exchange Antispam - checked the box to reject message with no sender address
SMTP Test - Using MXToolbox, another website I can't recall, and windows telnet inside and outside the building - all report working.
Open Relay Test from outside firewall - Using MXToolbox, another website I can't recall, and windows telnet - all report no open relay
Open Relay test inside the firewall - Used telnet from another machine on the network and it did allow me to relay from a different connector limited to 5 IP's on my LAN. I disabled this connector just to make sure it wasn't an issue
Firewall - rule blocking port 25 from all machines except Exchange
Firewall - Separate rule blocking port 25 from Exchange. I go through the queue, delete all undeliverable reports, then open the firewall to release the messages, then close port 25 again. This has kept me off the spam lists, but is a pain. I should note I never see any messages that look like spam. Only messages sent by actual users with subjects that seem right for what we do and undeliverable messages with <> as sender.
Full Virus Scan - I scanned all PC's and servers last nigh. didn't find any major issues.
Tried to use the message and logs to find messages sent to the person listed on the non-deliver. I admit I'm not that great at the shell, but I only came up with my non deliver report messages in my searches.
With none of this working, (still getting Non-deliver reports with send to address and subject clearly spam) I created a transport rule to bcc all sent mail (both to inside addresses and outside) to a mail box I setup. So far (it has been active for the last 2 hours) nothing that seems like spam has shown up. Just to make sure I did it correct, here is my rule:
For Internal mail:
Apply rule to messages
sent to users inside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this
For External mail:
Apply rule to messages
sent to users outside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this
**** What's happening right now
As an example, I have 5 undeliverable messages in the queue in the last 2 hours (when I did the above rules) but not one message in my bcc box was sent to the address in the undeliverable messages. I have been watching the outbound queue slowly grow as I have typed this post. again, mostly undeliverable DSN messages and real emails.
Hope that is enough info, although I tried to list everything I can remember I did, I'm sure I forgot something.
Thanks in advance for your help.
Let me start by saying I know there are a lot of posts out there about Exchange and Spam. I have spent the last 3 days searching the web for my issue and possible fixes and have applied what seem to fit as I'll note below.
My Setup/issue:
I have an Exchange 2007 sitting on a Windows 2003R2 x64 box. I noticed an issue a week or so ago as my Exchange IP got blacklisted. Originally, I thought it was just a fluke as I had a temp gap in antivirus coverage. So I loaded SEP, did full scans, came up with minor things, deleted them and moved on. With my new protection in place, I changed to another static IP in my range and though life was good. Nope, blacklisted within 24 hours. Although I will admit my non deliver messages have gone way down since I did a lot of work last night, it still doesn't seem right.
My Questions:
1) What else I should be doing to further trouble shoot this?
2) Is there a way, from the non-deliver message in the queue, that I can find and look at the original message to see where it is coming from?
3) Is the spam even coming from my Exchange server?
4) Could these still be non-deliver reports from previous spam messages before I did updates?
5) I invite any other suggestions
So, time to do some troubleshooting.......
Should note All Exchange services are on one box. I do not have a separate HUB Transport
Windows 2003r2 X64 - All updates are fully installed as of this morning.
Exchange 2007 - All service packs and updates loaded as of this morning
Exchange AntiSpam - Turned on and updated
Exchange Antispam - checked the box to reject message with no sender address
SMTP Test - Using MXToolbox, another website I can't recall, and windows telnet inside and outside the building - all report working.
Open Relay Test from outside firewall - Using MXToolbox, another website I can't recall, and windows telnet - all report no open relay
Open Relay test inside the firewall - Used telnet from another machine on the network and it did allow me to relay from a different connector limited to 5 IP's on my LAN. I disabled this connector just to make sure it wasn't an issue
Firewall - rule blocking port 25 from all machines except Exchange
Firewall - Separate rule blocking port 25 from Exchange. I go through the queue, delete all undeliverable reports, then open the firewall to release the messages, then close port 25 again. This has kept me off the spam lists, but is a pain. I should note I never see any messages that look like spam. Only messages sent by actual users with subjects that seem right for what we do and undeliverable messages with <> as sender.
Full Virus Scan - I scanned all PC's and servers last nigh. didn't find any major issues.
Tried to use the message and logs to find messages sent to the person listed on the non-deliver. I admit I'm not that great at the shell, but I only came up with my non deliver report messages in my searches.
With none of this working, (still getting Non-deliver reports with send to address and subject clearly spam) I created a transport rule to bcc all sent mail (both to inside addresses and outside) to a mail box I setup. So far (it has been active for the last 2 hours) nothing that seems like spam has shown up. Just to make sure I did it correct, here is my rule:
For Internal mail:
Apply rule to messages
sent to users inside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this
For External mail:
Apply rule to messages
sent to users outside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this
**** What's happening right now
As an example, I have 5 undeliverable messages in the queue in the last 2 hours (when I did the above rules) but not one message in my bcc box was sent to the address in the undeliverable messages. I have been watching the outbound queue slowly grow as I have typed this post. again, mostly undeliverable DSN messages and real emails.
Hope that is enough info, although I tried to list everything I can remember I did, I'm sure I forgot something.
Thanks in advance for your help.
R--R
Did you enabled SMTP send/receive connector logs and check if the spam mails are received from any local machine/IP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you both for the quick response.
R-R
I did set the logs to verbose. But truthfully, I got lost looking at them. any decoding help would be appreciated. I opened them in Notepad, and it was all so jumbled it was hard to follow.
Sembee2
I did reset all password on the system.
R-R
I did set the logs to verbose. But truthfully, I got lost looking at them. any decoding help would be appreciated. I opened them in Notepad, and it was all so jumbled it was hard to follow.
Sembee2
I did reset all password on the system.
ASKER
Just an update.
I loaded ORF Spam tool last night, great reporting. It is 100% coming from the outside. No inside virus.
I loaded ORF Spam tool last night, great reporting. It is 100% coming from the outside. No inside virus.
ASKER
Turned out one of our account passwords was hacked