Solved

Exchange sending out spam - Can't find source

Posted on 2014-02-28
17
3,353 Views
Last Modified: 2014-03-01
Situation:
Our Exchange 2003 / Exchange 2010 coexistence environment is sending out spam (10,000+ email attempts a day).

Background:
Last week we found out that our IP was listed on almost all of the spam lists. I saw that our Exchange 2003 message queue was bloated with 1,000's of emails. I flushed the queue, locked down the firewall so that only MXLogic (our spam filter) IP's can send SMTP traffic to our Exchange server. I also locked other firewall settings down as well. Everything went back to normal for a few days.

Current:
The same thing happened again yesterday on the Exchange 2010 server: 1,000's of emails in the queue. Our IP (for the 2010 server this time) got blacklisted.

Tasks I have done:
-Run SEP and Malware Bytes on the exchange server. Came up clean.
-Lock down SMTP traffic to only receive from MXLogic.
-Cleared out message queue
-VERIFIED that we are not an open relay on the internet

At this point, I'm not sure what to do. It seems like it keeps popping up and then going away. Have we somehow been hacked? Is an authenticated user on the domain unknowingly sending spam? Where should I start?
0
Comment
Question by:Paul Wagner
  • 9
  • 7
17 Comments
 
LVL 15

Accepted Solution

by:
jerseysam earned 500 total points
ID: 39894406
Ok,

turn on diagnostic logging in exchange. Look for event ID 1708 to see if there is a user spamming the exchange server.

See post:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also you need to lock down port 25 for SMTP so that only the server can access this.
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39894470
I read the article. There is no Authentication under MSExchange Transport.

MSExchange Transport without Authentication option.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894480
What version of exchange are you using?
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39894485
2010
0
 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 500 total points
ID: 39894492
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39894500
Ya I read that after your first post but it described something so different, I didn't want to end up down the rabbit hole. Working on it now.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894508
Ok. Once you get logging sorted then if a machine on your network is spamming it should be fairly obvious by the constant 1708 events in the event log on the exchange server.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894511
http://support.microsoft.com/kb/324958

Good guide for cleaning up once you find infected machine and remove from network
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Assisted Solution

by:jerseysam
jerseysam earned 500 total points
ID: 39894514
If you can configure your firewall then block all traffic to port 25 apart from the exchange server and then check firewall logs to see who keeps requesting port 25 access
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39894580
The only thing I find (on my exchange 2003 server) is a ton of Information events with 1708. Most of them say the username was "DOMAIN\EXCHANGE 2010$". This is not an account though. That's the server we have coexistence set up on.
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894591
Have you cleaned that other server?

1st thing is change passwords
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39894598
Cleaned as in virus scan? Yes.
Change which passwords?
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39894609
Change the password on the machine that constantly generates 1708 requests. See if they settle down. But usually the machine that generates 1708 requests every 10 seconds or so is the spam machine. At least for a user pc anyway
0
 
LVL 3

Author Comment

by:Paul Wagner
ID: 39894965
There are two accounts I saw with 1708 events. The first, which had a lot of events listed, was for the internal service desk site email account that we have. I changed the password for that but it still has a bunch of listings. I imagine this is normal as it is sending/receiving emails/ticket updates from users.

The second account only had a handful of 1708's (in the last 5 days) and it was for our print server which sends scanned documents from the scanners to email.

In my mind, these both seem normal.
0
 
LVL 12

Expert Comment

by:ktaczala
ID: 39896745
make sure that your router/firewall IP is NOT part of the receive connector allowed IP's
0
 
LVL 3

Author Closing Comment

by:Paul Wagner
ID: 39896888
1708 events are not as straightforward as they are described here and in the referenced article. My environment has a scanner on the printer server, virtual fax server and service desk system which all use port 25 internally. There is no way to tell from just looking at 1708 events if their access of port 25 is standard or spam attempts.

I ended up calling Microsoft, and for $230, it was well worth the money. Their engineer walked me through proper anti-spam techniques that utilize best practices according to Microsoft. It gave me the peace of mind I was looking for.

IMPORTANT: My environment has coexistence between 2003 and 2010 Exchange. The immediate difference I saw that cut the message queue from 2,000 messages down to 30 was checking the box for Integrated Windows Authentication in the SMTP Virtual Server on the 2003 box. Also, setting up anti-spam with Spamhaus rules using 127.0.0.x addresses is pretty awesome. Recipient filtering is great to have as well.

This is legit: http://netport.org/?p=1200
0
 
LVL 15

Expert Comment

by:jerseysam
ID: 39897042
Ok great. Happy you got it sorted.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now