Solved

Exchange sending out spam - Can't find source

Posted on 2014-02-28
17
3,544 Views
Last Modified: 2014-03-01
Situation:
Our Exchange 2003 / Exchange 2010 coexistence environment is sending out spam (10,000+ email attempts a day).

Background:
Last week we found out that our IP was listed on almost all of the spam lists. I saw that our Exchange 2003 message queue was bloated with 1,000's of emails. I flushed the queue, locked down the firewall so that only MXLogic (our spam filter) IP's can send SMTP traffic to our Exchange server. I also locked other firewall settings down as well. Everything went back to normal for a few days.

Current:
The same thing happened again yesterday on the Exchange 2010 server: 1,000's of emails in the queue. Our IP (for the 2010 server this time) got blacklisted.

Tasks I have done:
-Run SEP and Malware Bytes on the exchange server. Came up clean.
-Lock down SMTP traffic to only receive from MXLogic.
-Cleared out message queue
-VERIFIED that we are not an open relay on the internet

At this point, I'm not sure what to do. It seems like it keeps popping up and then going away. Have we somehow been hacked? Is an authenticated user on the domain unknowingly sending spam? Where should I start?
0
Comment
Question by:Paul Wagner
  • 9
  • 7
17 Comments
 
LVL 15

Accepted Solution

by:
jerseysam earned 500 total points
ID: 39894406
Ok,

turn on diagnostic logging in exchange. Look for event ID 1708 to see if there is a user spamming the exchange server.

See post:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also you need to lock down port 25 for SMTP so that only the server can access this.
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39894470
I read the article. There is no Authentication under MSExchange Transport.

MSExchange Transport without Authentication option.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894480
What version of exchange are you using?
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 4

Author Comment

by:Paul Wagner
ID: 39894485
2010
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 500 total points
ID: 39894492
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39894500
Ya I read that after your first post but it described something so different, I didn't want to end up down the rabbit hole. Working on it now.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894508
Ok. Once you get logging sorted then if a machine on your network is spamming it should be fairly obvious by the constant 1708 events in the event log on the exchange server.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894511
http://support.microsoft.com/kb/324958

Good guide for cleaning up once you find infected machine and remove from network
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 500 total points
ID: 39894514
If you can configure your firewall then block all traffic to port 25 apart from the exchange server and then check firewall logs to see who keeps requesting port 25 access
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39894580
The only thing I find (on my exchange 2003 server) is a ton of Information events with 1708. Most of them say the username was "DOMAIN\EXCHANGE 2010$". This is not an account though. That's the server we have coexistence set up on.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894591
Have you cleaned that other server?

1st thing is change passwords
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39894598
Cleaned as in virus scan? Yes.
Change which passwords?
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894609
Change the password on the machine that constantly generates 1708 requests. See if they settle down. But usually the machine that generates 1708 requests every 10 seconds or so is the spam machine. At least for a user pc anyway
0
 
LVL 4

Author Comment

by:Paul Wagner
ID: 39894965
There are two accounts I saw with 1708 events. The first, which had a lot of events listed, was for the internal service desk site email account that we have. I changed the password for that but it still has a bunch of listings. I imagine this is normal as it is sending/receiving emails/ticket updates from users.

The second account only had a handful of 1708's (in the last 5 days) and it was for our print server which sends scanned documents from the scanners to email.

In my mind, these both seem normal.
0
 
LVL 12

Expert Comment

by:ktaczala
ID: 39896745
make sure that your router/firewall IP is NOT part of the receive connector allowed IP's
0
 
LVL 4

Author Closing Comment

by:Paul Wagner
ID: 39896888
1708 events are not as straightforward as they are described here and in the referenced article. My environment has a scanner on the printer server, virtual fax server and service desk system which all use port 25 internally. There is no way to tell from just looking at 1708 events if their access of port 25 is standard or spam attempts.

I ended up calling Microsoft, and for $230, it was well worth the money. Their engineer walked me through proper anti-spam techniques that utilize best practices according to Microsoft. It gave me the peace of mind I was looking for.

IMPORTANT: My environment has coexistence between 2003 and 2010 Exchange. The immediate difference I saw that cut the message queue from 2,000 messages down to 30 was checking the box for Integrated Windows Authentication in the SMTP Virtual Server on the 2003 box. Also, setting up anti-spam with Spamhaus rules using 127.0.0.x addresses is pretty awesome. Recipient filtering is great to have as well.

This is legit: http://netport.org/?p=1200
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39897042
Ok great. Happy you got it sorted.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
how to add IIS SMTP to handle application/Scanner relays into office 365.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question