Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange 2010 Email Address Spamming

Posted on 2014-02-19
7
Medium Priority
?
617 Views
Last Modified: 2014-02-21
Hi, yesterday we found that a domain user was receiving "Undeliverable" emails in her inbox, 5000 of them about. We use a Cisco IronPort device to filter and found that her email address had sent 33k emails during the day yesterday. I worked with Cisco to adjust our outgoing policy to state that if any emails are scanned as spam or a threat, drop them. It was set to deliver them...

Cisco stated that the emails are still being sent from our mail server, so i need to find out how. I tried with doing a "get-messagetrackinglog" with the header of a spam email and it tells me the sender (which i already knew). How do i stop exchange from sending on behalf of this user, what could it be? any tips on this are greatly appreciated.

thanks
0
Comment
Question by:ArtiePublic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 5

Expert Comment

by:Arjun Vyavahare
ID: 39872512
If you know the sender then can you go to his machine and perform Antivirus scan and also meantime can you remove that user's machine from the network for a while and monitor outgoing email traffic? This may resolve your issue.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 2000 total points
ID: 39872629
It probably isn't anything with the workstation.
Is the server exposed to the internet? If so, then the user probably responded to a phishing email, or has used an easily guessed password and the spammer has simply bounced the emails off your server using their credentials.

While malware on a workstation is pretty common for sending spam, in almost all cases the malware will have its own SMTP engine, rather than depending on a mail client already configured. To use your email server means the malware writer has to find the server, create the messages, pass them through Outlook and hope that you don't spot them. It is much easier and less work to just have their own SMTP engine to send the email out directly, which is easily blocked - hence my suspicion that the emails actually came from outside with the user's credentials.

Simon.
0
 

Author Comment

by:ArtiePublic
ID: 39873933
Hi Simon, your exactly right. I did do the steps though above prior to what he stated, but how do you suggest i go about finding this smtp engine?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39875296
First you should have port 25 blocked at the firewall for everything but the Exchange server. If you get an infected machine it will show in the logs very quickly.

That will allow you to identify which machine has the malware. Then I would find it and wipe it. If it belongs to the user in question then it will teach them a lesson about responding to phishing or using simple passwords. While you can run malware detection tools, malware is a moving beast and you cannot guarantee that you have removed it all.

Simon.
0
 

Author Comment

by:ArtiePublic
ID: 39875300
Port 25 is blocked for sure. What logs do you mean, the header info in the email or exchange event viewer logs? Yes, i removed the machine and so far so good but like you said it might have moved on to someone else.
0
 
LVL 16

Expert Comment

by:Enphyniti
ID: 39876057
To clarify - Simon is suggesting you block port 25 outbound for all but the exchange server.  If you've done that, then the theoretical local smtp engine on the compromised system can no longer send email.

If in fact, the mail is flowing via authentication through your mailserver, then you should be able to review outbound messages using the tracking log explorer.

Or, if your user is willing, setup a transport rule on the HT server that redirects all of their sent mail to a local mailbox.  If a bunch of spam shows up, then you know the account is compromised.

At any rate, you should change the password soonest.
0
 

Author Comment

by:ArtiePublic
ID: 39877236
Right, the password for the user has been changed. Its been two days now and i dont have anymore spam messages generating. Im going to assume this is gone or at least stopped by me restricting port 25 for outbound, as well as updating my outgoing policy on my Ironport. Thank you.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
The main intent of this article is to make you aware of ‘Exchange fail to mount’ error, its effects, causes, and solution.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question