Solved

Exchange 2010 - Domain Being Spammed

Posted on 2013-05-17
10
334 Views
Last Modified: 2013-05-22
We have two mail servers - Ex01 and EX02 - Both are in two different buildings and two different cities.  Both are CAS/HUB/MBX.

We started to see slowness on the ISP for EX01 building.  Started looking into it and we had over 43,000 SPAM messages in our queue trying to go out.  Same two or three messages for all 43,000 messages.

I have found that they are originating from our EX02 server.  EX02 is sending them over to EX01 and it is trying to send them out.  I have disabled both receive connectors on the EX02 and they still keep coming as I was trying to rule out open relay.

Here is the SPAM message from Queue Viewer

Identity: EX01\137083\296632
Subject: SUPER PACK ESPIA la PC
Internet Message ID: <41168-220135416161941370@hello>
From Address: x-aqui-no-va@mixmail.com
Status: Suspended
Size (KB): 640
Message Source Name: SMTP:Default EX01
Source IP: EX02
SCL: 0
Date Received: 5/17/2013 8:57:23 AM
Expiration Time: 5/19/2013 8:57:23 AM
Last Error:
Queue ID: CHCS-SRV-02-01\137083
Recipients:  jan@shelby.com


Question is how do i pinpoint down further what is going on.  Right now i have the nic disabled in our vm for EX02 as it sends continuously when the nic is connected.  Its about 300 messages a minute.

I have also ran virus and malware scans and found nothing on the server.  No one uses the server for anything so there is no reason that malware should be on it.
0
Comment
Question by:considerscs
10 Comments
 
LVL 33

Accepted Solution

by:
paulmacd earned 333 total points
Comment Utility
If the messages continue to be generated, then they are originating from inside.  Based on what you're saying it sounds as if they're originating on the server itself, so it's foregone there's something wrong there.

Something as simple as SFC /SCANNOW may fix the problem, but I wouldn't count on it.  Grab a few more antivirus / rootkit utilities and keep trying to pinpoint the malware.  If you can't find the malware, you may have to rebuild the machine.  Also, I wouldn't presume this is the only compromised machine in your organization - you'll want to make a point of checking everything.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 84 total points
Comment Utility
Due to the way that Exchange processes email, even after dealing with the problem new email can appear to continue appear. That isn't the case. When a spammer gets access to a system they will abuse it - dumping 100,000s of messages. Therefore you are probably just seeing the tip of it.

Simon.
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
We have actively scanned all machines on the network and cleaned a couple with fake antivirus software.  Nothing that showed to be anything this great of a problem.

The weird thing is that in EX02 in queue viewer there is nothing there, so its generating them from somewhere and shooting them over to EX01.  Which doesnt make sense because EX02 has access to send out emails.

So if the messages have been dumped, should I just let them hit the queue and just continue to manually delete them as I have been and see if it stops?

A malware and virus scan came up clean on the server with Malwarebytes and Symantec Endpoint.
0
 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 333 total points
Comment Utility
"... so its generating them from somewhere and shooting them over to EX01."
That's my point.  Just because you haven't found something, doesn't mean there's nothing to find.
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
I agree.  I am only able to see the originating IP on the messages as my EX02 server.  We are still combing the network trying to find any machine that has any type of infection.  Is there any way to go to EX02 and clear all messages that it may be holding?  Then I can see if it begins to generate new messages and if it does I know it is still active somewhere in the network.  If not then I know it was just holding messages.
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 333 total points
Comment Utility
In the Queue Viewer you should be able to delete the offending messages.
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
Yes I can in the Queue viewer in EX01, but that causes SPAM to go out and us to hit blacklists.

I cannot see these messages in the EX02 queue viewer.  They do not show.
0
 
LVL 33

Assisted Solution

by:paulmacd
paulmacd earned 333 total points
Comment Utility
You should be able to delete the messages from queue without releasing anything to the Internet.  Just delete without an NDR...

Can you turn off EX02?  If so, shut it down and see if that stems the tide of spam.  At least that will tell you if the problem is on that machine.
0
 
LVL 2

Assisted Solution

by:DonYoung
DonYoung earned 83 total points
Comment Utility
Check the mail pickup folder on Ex02.  Something may be dropping the spams directly there.  Also you can (and should) lock down the receive connectors on Ex02 (and Ex01) to only accept messages from trusted IPs.
0
 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
I'm grateful for the points, but were you able to resolve your issue?  If so, can you share the solution with the community?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now