Solved

Exchange 2010 - Domain Being Spammed

Posted on 2013-05-17
10
353 Views
Last Modified: 2013-05-22
We have two mail servers - Ex01 and EX02 - Both are in two different buildings and two different cities.  Both are CAS/HUB/MBX.

We started to see slowness on the ISP for EX01 building.  Started looking into it and we had over 43,000 SPAM messages in our queue trying to go out.  Same two or three messages for all 43,000 messages.

I have found that they are originating from our EX02 server.  EX02 is sending them over to EX01 and it is trying to send them out.  I have disabled both receive connectors on the EX02 and they still keep coming as I was trying to rule out open relay.

Here is the SPAM message from Queue Viewer

Identity: EX01\137083\296632
Subject: SUPER PACK ESPIA la PC
Internet Message ID: <41168-220135416161941370@hello>
From Address: x-aqui-no-va@mixmail.com
Status: Suspended
Size (KB): 640
Message Source Name: SMTP:Default EX01
Source IP: EX02
SCL: 0
Date Received: 5/17/2013 8:57:23 AM
Expiration Time: 5/19/2013 8:57:23 AM
Last Error:
Queue ID: CHCS-SRV-02-01\137083
Recipients:  jan@shelby.com


Question is how do i pinpoint down further what is going on.  Right now i have the nic disabled in our vm for EX02 as it sends continuously when the nic is connected.  Its about 300 messages a minute.

I have also ran virus and malware scans and found nothing on the server.  No one uses the server for anything so there is no reason that malware should be on it.
0
Comment
Question by:considerscs
10 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 333 total points
ID: 39174676
If the messages continue to be generated, then they are originating from inside.  Based on what you're saying it sounds as if they're originating on the server itself, so it's foregone there's something wrong there.

Something as simple as SFC /SCANNOW may fix the problem, but I wouldn't count on it.  Grab a few more antivirus / rootkit utilities and keep trying to pinpoint the malware.  If you can't find the malware, you may have to rebuild the machine.  Also, I wouldn't presume this is the only compromised machine in your organization - you'll want to make a point of checking everything.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 84 total points
ID: 39174697
Due to the way that Exchange processes email, even after dealing with the problem new email can appear to continue appear. That isn't the case. When a spammer gets access to a system they will abuse it - dumping 100,000s of messages. Therefore you are probably just seeing the tip of it.

Simon.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174721
We have actively scanned all machines on the network and cleaned a couple with fake antivirus software.  Nothing that showed to be anything this great of a problem.

The weird thing is that in EX02 in queue viewer there is nothing there, so its generating them from somewhere and shooting them over to EX01.  Which doesnt make sense because EX02 has access to send out emails.

So if the messages have been dumped, should I just let them hit the queue and just continue to manually delete them as I have been and see if it stops?

A malware and virus scan came up clean on the server with Malwarebytes and Symantec Endpoint.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 333 total points
ID: 39174729
"... so its generating them from somewhere and shooting them over to EX01."
That's my point.  Just because you haven't found something, doesn't mean there's nothing to find.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174740
I agree.  I am only able to see the originating IP on the messages as my EX02 server.  We are still combing the network trying to find any machine that has any type of infection.  Is there any way to go to EX02 and clear all messages that it may be holding?  Then I can see if it begins to generate new messages and if it does I know it is still active somewhere in the network.  If not then I know it was just holding messages.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 333 total points
ID: 39174793
In the Queue Viewer you should be able to delete the offending messages.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174845
Yes I can in the Queue viewer in EX01, but that causes SPAM to go out and us to hit blacklists.

I cannot see these messages in the EX02 queue viewer.  They do not show.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 333 total points
ID: 39175012
You should be able to delete the messages from queue without releasing anything to the Internet.  Just delete without an NDR...

Can you turn off EX02?  If so, shut it down and see if that stems the tide of spam.  At least that will tell you if the problem is on that machine.
0
 
LVL 2

Assisted Solution

by:DonYoung
DonYoung earned 83 total points
ID: 39175260
Check the mail pickup folder on Ex02.  Something may be dropping the spams directly there.  Also you can (and should) lock down the receive connectors on Ex02 (and Ex01) to only accept messages from trusted IPs.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39188584
I'm grateful for the points, but were you able to resolve your issue?  If so, can you share the solution with the community?
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now