Solved

Exchange 2010 - Domain Being Spammed

Posted on 2013-05-17
10
379 Views
Last Modified: 2013-05-22
We have two mail servers - Ex01 and EX02 - Both are in two different buildings and two different cities.  Both are CAS/HUB/MBX.

We started to see slowness on the ISP for EX01 building.  Started looking into it and we had over 43,000 SPAM messages in our queue trying to go out.  Same two or three messages for all 43,000 messages.

I have found that they are originating from our EX02 server.  EX02 is sending them over to EX01 and it is trying to send them out.  I have disabled both receive connectors on the EX02 and they still keep coming as I was trying to rule out open relay.

Here is the SPAM message from Queue Viewer

Identity: EX01\137083\296632
Subject: SUPER PACK ESPIA la PC
Internet Message ID: <41168-220135416161941370@hello>
From Address: x-aqui-no-va@mixmail.com
Status: Suspended
Size (KB): 640
Message Source Name: SMTP:Default EX01
Source IP: EX02
SCL: 0
Date Received: 5/17/2013 8:57:23 AM
Expiration Time: 5/19/2013 8:57:23 AM
Last Error:
Queue ID: CHCS-SRV-02-01\137083
Recipients:  jan@shelby.com


Question is how do i pinpoint down further what is going on.  Right now i have the nic disabled in our vm for EX02 as it sends continuously when the nic is connected.  Its about 300 messages a minute.

I have also ran virus and malware scans and found nothing on the server.  No one uses the server for anything so there is no reason that malware should be on it.
0
Comment
Question by:considerscs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 34

Accepted Solution

by:
Paul MacDonald earned 333 total points
ID: 39174676
If the messages continue to be generated, then they are originating from inside.  Based on what you're saying it sounds as if they're originating on the server itself, so it's foregone there's something wrong there.

Something as simple as SFC /SCANNOW may fix the problem, but I wouldn't count on it.  Grab a few more antivirus / rootkit utilities and keep trying to pinpoint the malware.  If you can't find the malware, you may have to rebuild the machine.  Also, I wouldn't presume this is the only compromised machine in your organization - you'll want to make a point of checking everything.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 84 total points
ID: 39174697
Due to the way that Exchange processes email, even after dealing with the problem new email can appear to continue appear. That isn't the case. When a spammer gets access to a system they will abuse it - dumping 100,000s of messages. Therefore you are probably just seeing the tip of it.

Simon.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174721
We have actively scanned all machines on the network and cleaned a couple with fake antivirus software.  Nothing that showed to be anything this great of a problem.

The weird thing is that in EX02 in queue viewer there is nothing there, so its generating them from somewhere and shooting them over to EX01.  Which doesnt make sense because EX02 has access to send out emails.

So if the messages have been dumped, should I just let them hit the queue and just continue to manually delete them as I have been and see if it stops?

A malware and virus scan came up clean on the server with Malwarebytes and Symantec Endpoint.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 333 total points
ID: 39174729
"... so its generating them from somewhere and shooting them over to EX01."
That's my point.  Just because you haven't found something, doesn't mean there's nothing to find.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174740
I agree.  I am only able to see the originating IP on the messages as my EX02 server.  We are still combing the network trying to find any machine that has any type of infection.  Is there any way to go to EX02 and clear all messages that it may be holding?  Then I can see if it begins to generate new messages and if it does I know it is still active somewhere in the network.  If not then I know it was just holding messages.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 333 total points
ID: 39174793
In the Queue Viewer you should be able to delete the offending messages.
0
 
LVL 1

Author Comment

by:considerscs
ID: 39174845
Yes I can in the Queue viewer in EX01, but that causes SPAM to go out and us to hit blacklists.

I cannot see these messages in the EX02 queue viewer.  They do not show.
0
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 333 total points
ID: 39175012
You should be able to delete the messages from queue without releasing anything to the Internet.  Just delete without an NDR...

Can you turn off EX02?  If so, shut it down and see if that stems the tide of spam.  At least that will tell you if the problem is on that machine.
0
 
LVL 2

Assisted Solution

by:DonYoung
DonYoung earned 83 total points
ID: 39175260
Check the mail pickup folder on Ex02.  Something may be dropping the spams directly there.  Also you can (and should) lock down the receive connectors on Ex02 (and Ex01) to only accept messages from trusted IPs.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 39188584
I'm grateful for the points, but were you able to resolve your issue?  If so, can you share the solution with the community?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question