Exchange sending out spam - Can't find source

Situation:
Our Exchange 2003 / Exchange 2010 coexistence environment is sending out spam (10,000+ email attempts a day).

Background:
Last week we found out that our IP was listed on almost all of the spam lists. I saw that our Exchange 2003 message queue was bloated with 1,000's of emails. I flushed the queue, locked down the firewall so that only MXLogic (our spam filter) IP's can send SMTP traffic to our Exchange server. I also locked other firewall settings down as well. Everything went back to normal for a few days.

Current:
The same thing happened again yesterday on the Exchange 2010 server: 1,000's of emails in the queue. Our IP (for the 2010 server this time) got blacklisted.

Tasks I have done:
-Run SEP and Malware Bytes on the exchange server. Came up clean.
-Lock down SMTP traffic to only receive from MXLogic.
-Cleared out message queue
-VERIFIED that we are not an open relay on the internet

At this point, I'm not sure what to do. It seems like it keeps popping up and then going away. Have we somehow been hacked? Is an authenticated user on the domain unknowingly sending spam? Where should I start?
LVL 6
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jerseysamCommented:
Ok,

turn on diagnostic logging in exchange. Look for event ID 1708 to see if there is a user spamming the exchange server.

See post:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also you need to lock down port 25 for SMTP so that only the server can access this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Paul WagnerFriend To Robots and RocksAuthor Commented:
I read the article. There is no Authentication under MSExchange Transport.

MSExchange Transport without Authentication option.
0
jerseysamCommented:
What version of exchange are you using?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Paul WagnerFriend To Robots and RocksAuthor Commented:
2010
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
Ya I read that after your first post but it described something so different, I didn't want to end up down the rabbit hole. Working on it now.
0
jerseysamCommented:
Ok. Once you get logging sorted then if a machine on your network is spamming it should be fairly obvious by the constant 1708 events in the event log on the exchange server.
0
jerseysamCommented:
http://support.microsoft.com/kb/324958

Good guide for cleaning up once you find infected machine and remove from network
0
jerseysamCommented:
If you can configure your firewall then block all traffic to port 25 apart from the exchange server and then check firewall logs to see who keeps requesting port 25 access
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
The only thing I find (on my exchange 2003 server) is a ton of Information events with 1708. Most of them say the username was "DOMAIN\EXCHANGE 2010$". This is not an account though. That's the server we have coexistence set up on.
0
jerseysamCommented:
Have you cleaned that other server?

1st thing is change passwords
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
Cleaned as in virus scan? Yes.
Change which passwords?
0
jerseysamCommented:
Change the password on the machine that constantly generates 1708 requests. See if they settle down. But usually the machine that generates 1708 requests every 10 seconds or so is the spam machine. At least for a user pc anyway
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
There are two accounts I saw with 1708 events. The first, which had a lot of events listed, was for the internal service desk site email account that we have. I changed the password for that but it still has a bunch of listings. I imagine this is normal as it is sending/receiving emails/ticket updates from users.

The second account only had a handful of 1708's (in the last 5 days) and it was for our print server which sends scanned documents from the scanners to email.

In my mind, these both seem normal.
0
ktaczalaCommented:
make sure that your router/firewall IP is NOT part of the receive connector allowed IP's
0
Paul WagnerFriend To Robots and RocksAuthor Commented:
1708 events are not as straightforward as they are described here and in the referenced article. My environment has a scanner on the printer server, virtual fax server and service desk system which all use port 25 internally. There is no way to tell from just looking at 1708 events if their access of port 25 is standard or spam attempts.

I ended up calling Microsoft, and for $230, it was well worth the money. Their engineer walked me through proper anti-spam techniques that utilize best practices according to Microsoft. It gave me the peace of mind I was looking for.

IMPORTANT: My environment has coexistence between 2003 and 2010 Exchange. The immediate difference I saw that cut the message queue from 2,000 messages down to 30 was checking the box for Integrated Windows Authentication in the SMTP Virtual Server on the 2003 box. Also, setting up anti-spam with Spamhaus rules using 127.0.0.x addresses is pretty awesome. Recipient filtering is great to have as well.

This is legit: http://netport.org/?p=1200
0
jerseysamCommented:
Ok great. Happy you got it sorted.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.