Exchange sending out spam - Can't find source

Situation:
Our Exchange 2003 / Exchange 2010 coexistence environment is sending out spam (10,000+ email attempts a day).

Background:
Last week we found out that our IP was listed on almost all of the spam lists. I saw that our Exchange 2003 message queue was bloated with 1,000's of emails. I flushed the queue, locked down the firewall so that only MXLogic (our spam filter) IP's can send SMTP traffic to our Exchange server. I also locked other firewall settings down as well. Everything went back to normal for a few days.

Current:
The same thing happened again yesterday on the Exchange 2010 server: 1,000's of emails in the queue. Our IP (for the 2010 server this time) got blacklisted.

Tasks I have done:
-Run SEP and Malware Bytes on the exchange server. Came up clean.
-Lock down SMTP traffic to only receive from MXLogic.
-Cleared out message queue
-VERIFIED that we are not an open relay on the internet

At this point, I'm not sure what to do. It seems like it keeps popping up and then going away. Have we somehow been hacked? Is an authenticated user on the domain unknowingly sending spam? Where should I start?
LVL 5
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
 
jerseysamCommented:
Ok,

turn on diagnostic logging in exchange. Look for event ID 1708 to see if there is a user spamming the exchange server.

See post:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also you need to lock down port 25 for SMTP so that only the server can access this.
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
I read the article. There is no Authentication under MSExchange Transport.

MSExchange Transport without Authentication option.
0
 
jerseysamCommented:
What version of exchange are you using?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Paul WagnerFriend To Robots and RocksAuthor Commented:
2010
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Ya I read that after your first post but it described something so different, I didn't want to end up down the rabbit hole. Working on it now.
0
 
jerseysamCommented:
Ok. Once you get logging sorted then if a machine on your network is spamming it should be fairly obvious by the constant 1708 events in the event log on the exchange server.
0
 
jerseysamCommented:
http://support.microsoft.com/kb/324958

Good guide for cleaning up once you find infected machine and remove from network
0
 
jerseysamCommented:
If you can configure your firewall then block all traffic to port 25 apart from the exchange server and then check firewall logs to see who keeps requesting port 25 access
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
The only thing I find (on my exchange 2003 server) is a ton of Information events with 1708. Most of them say the username was "DOMAIN\EXCHANGE 2010$". This is not an account though. That's the server we have coexistence set up on.
0
 
jerseysamCommented:
Have you cleaned that other server?

1st thing is change passwords
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
Cleaned as in virus scan? Yes.
Change which passwords?
0
 
jerseysamCommented:
Change the password on the machine that constantly generates 1708 requests. See if they settle down. But usually the machine that generates 1708 requests every 10 seconds or so is the spam machine. At least for a user pc anyway
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
There are two accounts I saw with 1708 events. The first, which had a lot of events listed, was for the internal service desk site email account that we have. I changed the password for that but it still has a bunch of listings. I imagine this is normal as it is sending/receiving emails/ticket updates from users.

The second account only had a handful of 1708's (in the last 5 days) and it was for our print server which sends scanned documents from the scanners to email.

In my mind, these both seem normal.
0
 
ktaczalaCommented:
make sure that your router/firewall IP is NOT part of the receive connector allowed IP's
0
 
Paul WagnerFriend To Robots and RocksAuthor Commented:
1708 events are not as straightforward as they are described here and in the referenced article. My environment has a scanner on the printer server, virtual fax server and service desk system which all use port 25 internally. There is no way to tell from just looking at 1708 events if their access of port 25 is standard or spam attempts.

I ended up calling Microsoft, and for $230, it was well worth the money. Their engineer walked me through proper anti-spam techniques that utilize best practices according to Microsoft. It gave me the peace of mind I was looking for.

IMPORTANT: My environment has coexistence between 2003 and 2010 Exchange. The immediate difference I saw that cut the message queue from 2,000 messages down to 30 was checking the box for Integrated Windows Authentication in the SMTP Virtual Server on the 2003 box. Also, setting up anti-spam with Spamhaus rules using 127.0.0.x addresses is pretty awesome. Recipient filtering is great to have as well.

This is legit: http://netport.org/?p=1200
0
 
jerseysamCommented:
Ok great. Happy you got it sorted.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.