• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 397
  • Last Modified:

Exchange 2010 - Domain Being Spammed

We have two mail servers - Ex01 and EX02 - Both are in two different buildings and two different cities.  Both are CAS/HUB/MBX.

We started to see slowness on the ISP for EX01 building.  Started looking into it and we had over 43,000 SPAM messages in our queue trying to go out.  Same two or three messages for all 43,000 messages.

I have found that they are originating from our EX02 server.  EX02 is sending them over to EX01 and it is trying to send them out.  I have disabled both receive connectors on the EX02 and they still keep coming as I was trying to rule out open relay.

Here is the SPAM message from Queue Viewer

Identity: EX01\137083\296632
Subject: SUPER PACK ESPIA la PC
Internet Message ID: <41168-220135416161941370@hello>
From Address: x-aqui-no-va@mixmail.com
Status: Suspended
Size (KB): 640
Message Source Name: SMTP:Default EX01
Source IP: EX02
SCL: 0
Date Received: 5/17/2013 8:57:23 AM
Expiration Time: 5/19/2013 8:57:23 AM
Last Error:
Queue ID: CHCS-SRV-02-01\137083
Recipients:  jan@shelby.com


Question is how do i pinpoint down further what is going on.  Right now i have the nic disabled in our vm for EX02 as it sends continuously when the nic is connected.  Its about 300 messages a minute.

I have also ran virus and malware scans and found nothing on the server.  No one uses the server for anything so there is no reason that malware should be on it.
0
considerscs
Asked:
considerscs
6 Solutions
 
Paul MacDonaldDirector, Information SystemsCommented:
If the messages continue to be generated, then they are originating from inside.  Based on what you're saying it sounds as if they're originating on the server itself, so it's foregone there's something wrong there.

Something as simple as SFC /SCANNOW may fix the problem, but I wouldn't count on it.  Grab a few more antivirus / rootkit utilities and keep trying to pinpoint the malware.  If you can't find the malware, you may have to rebuild the machine.  Also, I wouldn't presume this is the only compromised machine in your organization - you'll want to make a point of checking everything.
0
 
Simon Butler (Sembee)ConsultantCommented:
Due to the way that Exchange processes email, even after dealing with the problem new email can appear to continue appear. That isn't the case. When a spammer gets access to a system they will abuse it - dumping 100,000s of messages. Therefore you are probably just seeing the tip of it.

Simon.
0
 
considerscsAuthor Commented:
We have actively scanned all machines on the network and cleaned a couple with fake antivirus software.  Nothing that showed to be anything this great of a problem.

The weird thing is that in EX02 in queue viewer there is nothing there, so its generating them from somewhere and shooting them over to EX01.  Which doesnt make sense because EX02 has access to send out emails.

So if the messages have been dumped, should I just let them hit the queue and just continue to manually delete them as I have been and see if it stops?

A malware and virus scan came up clean on the server with Malwarebytes and Symantec Endpoint.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Paul MacDonaldDirector, Information SystemsCommented:
"... so its generating them from somewhere and shooting them over to EX01."
That's my point.  Just because you haven't found something, doesn't mean there's nothing to find.
0
 
considerscsAuthor Commented:
I agree.  I am only able to see the originating IP on the messages as my EX02 server.  We are still combing the network trying to find any machine that has any type of infection.  Is there any way to go to EX02 and clear all messages that it may be holding?  Then I can see if it begins to generate new messages and if it does I know it is still active somewhere in the network.  If not then I know it was just holding messages.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
In the Queue Viewer you should be able to delete the offending messages.
0
 
considerscsAuthor Commented:
Yes I can in the Queue viewer in EX01, but that causes SPAM to go out and us to hit blacklists.

I cannot see these messages in the EX02 queue viewer.  They do not show.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
You should be able to delete the messages from queue without releasing anything to the Internet.  Just delete without an NDR...

Can you turn off EX02?  If so, shut it down and see if that stems the tide of spam.  At least that will tell you if the problem is on that machine.
0
 
DonYoungSr. Enterprise ArchitectCommented:
Check the mail pickup folder on Ex02.  Something may be dropping the spams directly there.  Also you can (and should) lock down the receive connectors on Ex02 (and Ex01) to only accept messages from trusted IPs.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
I'm grateful for the points, but were you able to resolve your issue?  If so, can you share the solution with the community?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now