• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 898
  • Last Modified:

Exchange 2007 sending spam? Lots of DSN messages in queue


Let me start by saying I know there are a lot of posts out there about Exchange and Spam. I have spent the last 3 days searching the web for my issue and possible fixes and have applied what seem to fit as I'll note below.

My Setup/issue:

I have an Exchange 2007 sitting on a Windows 2003R2 x64 box. I noticed an issue a week or so ago as my Exchange IP got blacklisted. Originally, I thought it was just a fluke as I had a temp gap in antivirus coverage. So I loaded SEP, did full scans, came up with minor things, deleted them and moved on. With my new protection in place, I changed to another static IP in my range and though life was good. Nope, blacklisted within 24 hours. Although I will admit my non deliver messages have gone way down since I did a lot of work last night, it still doesn't seem right.

My Questions:

1) What else I should be doing to further trouble shoot this?
2) Is there a way, from the non-deliver message in the queue, that I can find and look at the original message to see where it is coming from?
3) Is the spam even coming from my Exchange server?
4) Could these still be non-deliver reports from previous spam messages before I did updates?
5) I invite any other suggestions

So, time to do some troubleshooting.......

Should note All Exchange services are on one box. I do not have a separate HUB Transport
Windows 2003r2 X64 - All updates are fully installed as of this morning.
Exchange 2007 - All service packs and updates loaded as of this morning
Exchange AntiSpam - Turned on and updated
Exchange Antispam - checked the box to reject message with no sender address
SMTP Test - Using MXToolbox, another website I can't recall, and windows telnet inside and outside the building - all report working.
Open Relay Test from outside firewall - Using MXToolbox, another website I can't recall, and windows telnet - all report no open relay
Open Relay test inside the firewall - Used telnet from another machine on the network and it did allow me to relay from a different connector limited to 5 IP's on my LAN. I disabled this connector just to make sure it wasn't an issue
Firewall - rule blocking port 25 from all machines except Exchange
Firewall - Separate rule blocking port 25 from Exchange. I go through the queue, delete all undeliverable reports, then open the firewall to release the messages, then close port 25 again. This has kept me off the spam lists, but is a pain. I should note I never see any messages that look like spam. Only messages sent by actual users with subjects that seem right for what we do and undeliverable messages with <> as sender.  
Full Virus Scan - I scanned all PC's and servers last nigh. didn't find any major issues.
Tried to use the message and logs to find messages sent to the person listed on the non-deliver. I admit I'm not that great at the shell, but I only came up with my non deliver report messages in my searches.

With none of this working, (still getting Non-deliver reports with send to address and subject clearly spam) I created a transport rule to bcc all sent mail (both to inside addresses and outside) to a mail box I setup. So far (it has been active for the last 2 hours) nothing that seems like spam has shown up.  Just to make sure I did it correct, here is my rule:

For Internal mail:
Apply rule to messages
sent to users inside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this

For External mail:
Apply rule to messages
sent to users outside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this

**** What's happening right now

As an example, I have 5 undeliverable messages in the queue in the last 2 hours (when I did the above rules) but not one message in my bcc box was sent to the address in the undeliverable messages. I have been watching the outbound queue slowly grow as I have typed this post. again, mostly undeliverable DSN messages and real emails.

Hope that is enough info, although I tried to list everything I can remember I did, I'm sure I forgot something.

Thanks in advance for your help.
  • 3
1 Solution
Did you enabled SMTP send/receive connector logs and check if the spam mails are received from any local machine/IP.
Simon Butler (Sembee)ConsultantCommented:
Changed any passwords?
If you have checked for open relay then it is probably authenticated relay. Logging on the connectors may well tell you which account is doing it, but as a precaution change the password for your "Administrator" account.

CompuzAuthor Commented:
Thank you both for the quick response.


I did set the logs to verbose. But truthfully, I got lost looking at them. any decoding help would be appreciated. I opened them in Notepad, and it was all so jumbled it was hard to follow.


I did reset all password on the system.
CompuzAuthor Commented:
Just an update.

I loaded ORF Spam tool last night, great reporting. It is 100% coming from the outside. No inside virus.
CompuzAuthor Commented:
Turned out one of our account passwords was hacked
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now