Solved

Exchange 2007 sending spam? Lots of DSN messages in queue

Posted on 2013-01-11
5
731 Views
Last Modified: 2014-05-13
Hello,

Let me start by saying I know there are a lot of posts out there about Exchange and Spam. I have spent the last 3 days searching the web for my issue and possible fixes and have applied what seem to fit as I'll note below.

My Setup/issue:

I have an Exchange 2007 sitting on a Windows 2003R2 x64 box. I noticed an issue a week or so ago as my Exchange IP got blacklisted. Originally, I thought it was just a fluke as I had a temp gap in antivirus coverage. So I loaded SEP, did full scans, came up with minor things, deleted them and moved on. With my new protection in place, I changed to another static IP in my range and though life was good. Nope, blacklisted within 24 hours. Although I will admit my non deliver messages have gone way down since I did a lot of work last night, it still doesn't seem right.

My Questions:

1) What else I should be doing to further trouble shoot this?
2) Is there a way, from the non-deliver message in the queue, that I can find and look at the original message to see where it is coming from?
3) Is the spam even coming from my Exchange server?
4) Could these still be non-deliver reports from previous spam messages before I did updates?
5) I invite any other suggestions


So, time to do some troubleshooting.......


Should note All Exchange services are on one box. I do not have a separate HUB Transport
Windows 2003r2 X64 - All updates are fully installed as of this morning.
Exchange 2007 - All service packs and updates loaded as of this morning
Exchange AntiSpam - Turned on and updated
Exchange Antispam - checked the box to reject message with no sender address
SMTP Test - Using MXToolbox, another website I can't recall, and windows telnet inside and outside the building - all report working.
Open Relay Test from outside firewall - Using MXToolbox, another website I can't recall, and windows telnet - all report no open relay
Open Relay test inside the firewall - Used telnet from another machine on the network and it did allow me to relay from a different connector limited to 5 IP's on my LAN. I disabled this connector just to make sure it wasn't an issue
Firewall - rule blocking port 25 from all machines except Exchange
Firewall - Separate rule blocking port 25 from Exchange. I go through the queue, delete all undeliverable reports, then open the firewall to release the messages, then close port 25 again. This has kept me off the spam lists, but is a pain. I should note I never see any messages that look like spam. Only messages sent by actual users with subjects that seem right for what we do and undeliverable messages with <> as sender.  
Full Virus Scan - I scanned all PC's and servers last nigh. didn't find any major issues.
Tried to use the message and logs to find messages sent to the person listed on the non-deliver. I admit I'm not that great at the shell, but I only came up with my non deliver report messages in my searches.

With none of this working, (still getting Non-deliver reports with send to address and subject clearly spam) I created a transport rule to bcc all sent mail (both to inside addresses and outside) to a mail box I setup. So far (it has been active for the last 2 hours) nothing that seems like spam has shown up.  Just to make sure I did it correct, here is my rule:

For Internal mail:
Apply rule to messages
sent to users inside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this

For External mail:
Apply rule to messages
sent to users outside the organization
Blind carbon copy (Bcc) the message to **a mailbox I setup just for this

**** What's happening right now

As an example, I have 5 undeliverable messages in the queue in the last 2 hours (when I did the above rules) but not one message in my bcc box was sent to the address in the undeliverable messages. I have been watching the outbound queue slowly grow as I have typed this post. again, mostly undeliverable DSN messages and real emails.


Hope that is enough info, although I tried to list everything I can remember I did, I'm sure I forgot something.

Thanks in advance for your help.
0
Comment
Question by:Compuz
  • 3
5 Comments
 
LVL 19

Expert Comment

by:R--R
ID: 38767473
Did you enabled SMTP send/receive connector logs and check if the spam mails are received from any local machine/IP.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 38767563
Changed any passwords?
If you have checked for open relay then it is probably authenticated relay. Logging on the connectors may well tell you which account is doing it, but as a precaution change the password for your "Administrator" account.

Simon.
0
 

Author Comment

by:Compuz
ID: 38767614
Thank you both for the quick response.

R-R

I did set the logs to verbose. But truthfully, I got lost looking at them. any decoding help would be appreciated. I opened them in Notepad, and it was all so jumbled it was hard to follow.

Sembee2

I did reset all password on the system.
0
 

Author Comment

by:Compuz
ID: 38770092
Just an update.

I loaded ORF Spam tool last night, great reporting. It is 100% coming from the outside. No inside virus.
0
 

Author Closing Comment

by:Compuz
ID: 40062773
Turned out one of our account passwords was hacked
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now