Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2010 - Domain Being Spammed

Posted on 2013-05-17
10
Medium Priority
?
394 Views
Last Modified: 2013-05-22
We have two mail servers - Ex01 and EX02 - Both are in two different buildings and two different cities.  Both are CAS/HUB/MBX.

We started to see slowness on the ISP for EX01 building.  Started looking into it and we had over 43,000 SPAM messages in our queue trying to go out.  Same two or three messages for all 43,000 messages.

I have found that they are originating from our EX02 server.  EX02 is sending them over to EX01 and it is trying to send them out.  I have disabled both receive connectors on the EX02 and they still keep coming as I was trying to rule out open relay.

Here is the SPAM message from Queue Viewer

Identity: EX01\137083\296632
Subject: SUPER PACK ESPIA la PC
Internet Message ID: <41168-220135416161941370@hello>
From Address: x-aqui-no-va@mixmail.com
Status: Suspended
Size (KB): 640
Message Source Name: SMTP:Default EX01
Source IP: EX02
SCL: 0
Date Received: 5/17/2013 8:57:23 AM
Expiration Time: 5/19/2013 8:57:23 AM
Last Error:
Queue ID: CHCS-SRV-02-01\137083
Recipients:  jan@shelby.com


Question is how do i pinpoint down further what is going on.  Right now i have the nic disabled in our vm for EX02 as it sends continuously when the nic is connected.  Its about 300 messages a minute.

I have also ran virus and malware scans and found nothing on the server.  No one uses the server for anything so there is no reason that malware should be on it.
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 1332 total points
ID: 39174676
If the messages continue to be generated, then they are originating from inside.  Based on what you're saying it sounds as if they're originating on the server itself, so it's foregone there's something wrong there.

Something as simple as SFC /SCANNOW may fix the problem, but I wouldn't count on it.  Grab a few more antivirus / rootkit utilities and keep trying to pinpoint the malware.  If you can't find the malware, you may have to rebuild the machine.  Also, I wouldn't presume this is the only compromised machine in your organization - you'll want to make a point of checking everything.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 336 total points
ID: 39174697
Due to the way that Exchange processes email, even after dealing with the problem new email can appear to continue appear. That isn't the case. When a spammer gets access to a system they will abuse it - dumping 100,000s of messages. Therefore you are probably just seeing the tip of it.

Simon.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174721
We have actively scanned all machines on the network and cleaned a couple with fake antivirus software.  Nothing that showed to be anything this great of a problem.

The weird thing is that in EX02 in queue viewer there is nothing there, so its generating them from somewhere and shooting them over to EX01.  Which doesnt make sense because EX02 has access to send out emails.

So if the messages have been dumped, should I just let them hit the queue and just continue to manually delete them as I have been and see if it stops?

A malware and virus scan came up clean on the server with Malwarebytes and Symantec Endpoint.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 1332 total points
ID: 39174729
"... so its generating them from somewhere and shooting them over to EX01."
That's my point.  Just because you haven't found something, doesn't mean there's nothing to find.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174740
I agree.  I am only able to see the originating IP on the messages as my EX02 server.  We are still combing the network trying to find any machine that has any type of infection.  Is there any way to go to EX02 and clear all messages that it may be holding?  Then I can see if it begins to generate new messages and if it does I know it is still active somewhere in the network.  If not then I know it was just holding messages.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 1332 total points
ID: 39174793
In the Queue Viewer you should be able to delete the offending messages.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174845
Yes I can in the Queue viewer in EX01, but that causes SPAM to go out and us to hit blacklists.

I cannot see these messages in the EX02 queue viewer.  They do not show.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 1332 total points
ID: 39175012
You should be able to delete the messages from queue without releasing anything to the Internet.  Just delete without an NDR...

Can you turn off EX02?  If so, shut it down and see if that stems the tide of spam.  At least that will tell you if the problem is on that machine.
0
 
LVL 2

Assisted Solution

by:DonYoung
DonYoung earned 332 total points
ID: 39175260
Check the mail pickup folder on Ex02.  Something may be dropping the spams directly there.  Also you can (and should) lock down the receive connectors on Ex02 (and Ex01) to only accept messages from trusted IPs.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39188584
I'm grateful for the points, but were you able to resolve your issue?  If so, can you share the solution with the community?
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
This video discusses moving either the default database or any database to a new volume.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question