Solved

exchange server mail in queue, sender is spoofed

Posted on 2013-01-29
8
790 Views
Last Modified: 2013-01-29
I have mail in my outbound queues (exchange server 2003) that shows the sender as "job@careerbuilder.com".  I need to ascertain which workstation on the network is actually sender these emails (100's of them).  Virus scans come up clean.  I suspected a couple workstations as the culprit, but there is nothing I can find on their PC's to validate this.  Sent folders are normal.  No virus reported.

How can I looked at one of these stuck in the outgoing queues and determine which workstation (all with static ip's if that helps) sent the message?
0
Comment
Question by:AndyMT
  • 4
  • 4
8 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 38833174
Have a read of my article and see if you are an Authenticated Relay:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

If you are - the solution is in my article, but some further reading and a permanent solution can be found on my blog:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

Alan
0
 

Author Comment

by:AndyMT
ID: 38833179
thanks alan....reading them now
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38833185
No probs - with Exchange 2003 this is one of the major reasons for busy queues full of spam!

It is unlikely but not impossible that you have an infection, but I have seen the Authenticated Relay more times than I have had hot dinners, so that is usually my first thought.

Alan
0
 

Author Comment

by:AndyMT
ID: 38833220
I read through the articles.  I had already accomplished some of the recommendations as this happened a few days ago initially.  Comcast blacklisted the domain although all blacklist tests were clean.  Just reran tests through mxtoolbox an the domain appears clean, reverse dns, not an open relay etc all come up clean.  

I did uncheck the basic and windows authentication as described in the 2nd article.

How can I tell (or can I tell) which workstation is sending the emails?
0
Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 500 total points
ID: 38833237
Well - if the source is internal, then you can use something like Wireshark to sniff the network for activity to the server using port 25.

If it isn't a client, then if you have killed basic and integrated windows auth on the SMTP Virtual Server and then restarted it, once the queue has been emptied of crap (you can use aqadmcli.exe to speed that up), then the queue should remain empty of crap, although it may take a while to empty the queue as a spammer would send thousands of spam messages and your server can't add them to the queue at the same time, so they queue up and then enter the queue once the server can actually process them, which can take a while, so once emptied, the queue may fill again, you then empty it and repeat until the queue is gone.

Shout if you want a link to download aqadmcli.exe

Alan
0
 

Author Comment

by:AndyMT
ID: 38833394
Here's is something I have noticed.  Quite a few of the queues (which I have currently frozen) are bogus.  Mispelled or out of the country email domains such as hotmaim.com, comcaster.net or asia.yahoo.com, gmail.com.co.  Almost as though a list of bad email addresses has been accessed.  It may just be these queues are in a retry state because the domain isn't valid and the valid ones have already connected and sent the emails.

I have done all that you suggested, hopefully this works.  I will continue to monitor this after I finish clearing the queues.

Thanks for your help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38833412
All perfectly normal for an authenticated relay.  Do you want aqadmcli.exe?
0
 

Author Closing Comment

by:AndyMT
ID: 38833580
Clear and Accurate Advice.  Thanks
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now