• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 395
  • Last Modified:

Exchange 2003 Sending Spam and IP Blocked

Hi,

I have a issue with a Exchange 2003 server, for the last 2 x days it keeps getting black listed by spamhaus as something is sending spam out, we have checked Anti Virus and all seems ok, any ideas where to start ?

Regards
0
ComexIT
Asked:
ComexIT
  • 5
  • 4
1 Solution
 
Alan HardistyCo-OwnerCommented:
My article is a good place to start and should hopefully help you nail the problem quickly so you can get off the blacklists and get your mail flowing again:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Any questions, please ask.

Alan
0
 
Simon Butler (Sembee)ConsultantCommented:
First - are you sure that it is Exchange?
If you look in the queues you will see messages hanging around if the server is being abused, because spammer's lists are not very clean.
If the queues are clean, then the source isn't Exchange.

The next step is to simply block SMTP traffic on the firewall except from the Exchange server. Turn on logging and wait. A compromised workstation will soon appear on the logs and can be found and removed.

If you do have messages in the queues on the Exchange server, it is unlikely to be malware, just a compromised account being used to send out spam.

Simon.
0
 
ComexITAuthor Commented:
Thanks Simon, do you have a list of steps for me to check etc ?

Thanks
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Alan HardistyCo-OwnerCommented:
Try reading my article - link above.

Alan
0
 
ComexITAuthor Commented:
Thanks Alan,

I think its the ndr version as it shows from postmaster@domain etc, I have applied the filter etc, Do i need to clear the ques ?
0
 
Alan HardistyCo-OwnerCommented:
You should do - it will be NDR's going back to invalid addresses, and you don't want to hit any more blacklists sites and get blacklisted.

Are you on Backscatterer.org?

Alan
0
 
ComexITAuthor Commented:
it says not listed but was before etc
0
 
Alan HardistyCo-OwnerCommented:
Good - let's hope you stay that way.

Have you resolved the Recipient Filtering yet so it doesn't happen again?

Alan
0
 
ComexITAuthor Commented:
yes i have enabled the receip filter etc so that should now be ok, why does it happen .... it's a real pain, we thought it was a pc in network etc
0
 
Alan HardistyCo-OwnerCommented:
Spammers having fun!  God knows why, but they like to see if they can send their crap out and bombard servers with all manner of rubbish in the hope that one or two make it through and as a result of you not filtering the recipient, the server has to send back NDR's and as the sender addresses are spoofed, some of the NDR's hit unpublished email addresses specifically designed to catch spam and you got caught not filtering invalid recipients.

Hopefully you don't get caught by the other option in my article as that can be very messy and a bit harder to isolate.

Alan
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now