Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How do I find what network entity is sending mail (and spam)?

Posted on 2014-03-14
6
Medium Priority
?
399 Views
Last Modified: 2014-05-12
An exchange server is full of queues and messages that shouldn't be there. It is not an open relay, but it does (blindly) accept requests from the private LAN because we have multiple automated processes that send email alarms.

I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.

When I look at a message in the queue, I get this:
Identity: Exchange\111871\357777
Subject: Undeliverable: The Best Treatment for Trigger Points
Internet Message ID: <3539d00d-7fa6-448d-96c7-3945dcd0244e@[ourdomain].com>
From Address: <>
Status: Ready
Size (KB): 10
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 3/13/2014 1:47:28 AM
Expiration Time: 3/15/2014 1:47:28 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: Exchange\111871
Recipients:  bounce@newsletters.imatrix.com;2;2;400 4.4.7 Message delayed;0;CN=Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[OURDC],DC=local

Open in new window


Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
0
Comment
Question by:DrDamnit
6 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 39930627
Try to enable logging on all SMTP receive connectors and examine the logs.
You did not mentioned the version of the exchange server.
It could also be an authenticated relay attack.
Some useful info: http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
0
 
LVL 32

Author Comment

by:DrDamnit
ID: 39930660
Exchange 2010. How do I enable those logs?
0
 
LVL 27

Expert Comment

by:davorin
ID: 39930672
On receive connector(s) properties on general tab set Protocol logging level to verbose.

(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx

Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Author Comment

by:DrDamnit
ID: 39930745
I'll apply this and report back.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931694
I would also install a network sniffer

Microsoft Network Monitor
Wireshark

and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.

DirkMare
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 2000 total points
ID: 39932826
I am worried some are actually getting out and spamming the world

don't be afraid, be sure. what you are looking at is just the consequence of a spam that failed to reach it's destination, probably because of greylisting  or a server that was temporarily down. most of the spamflow probably wnet through in less than a second and never had a chance to clutter your queues
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You finally migrated Public Folders to Office 365, decommissioned the Public Folder mailbox database and since then, when you send an email from on-premise to mail-enabled Public Folders, you get the following error: "Misconfigured public folder mai…
Exchange database can often fail to mount thereby halting the work of all users connected to it. Finding out why database isn’t mounting is crucial and getting the server back online. Stellar Phoenix Mailbox Exchange Recovery is a champion product t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question