Solved

How do I find what network entity is sending mail (and spam)?

Posted on 2014-03-14
6
385 Views
Last Modified: 2014-05-12
An exchange server is full of queues and messages that shouldn't be there. It is not an open relay, but it does (blindly) accept requests from the private LAN because we have multiple automated processes that send email alarms.

I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.

When I look at a message in the queue, I get this:
Identity: Exchange\111871\357777
Subject: Undeliverable: The Best Treatment for Trigger Points
Internet Message ID: <3539d00d-7fa6-448d-96c7-3945dcd0244e@[ourdomain].com>
From Address: <>
Status: Ready
Size (KB): 10
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 3/13/2014 1:47:28 AM
Expiration Time: 3/15/2014 1:47:28 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: Exchange\111871
Recipients:  bounce@newsletters.imatrix.com;2;2;400 4.4.7 Message delayed;0;CN=Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[OURDC],DC=local

Open in new window


Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
0
Comment
Question by:DrDamnit
6 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 39930627
Try to enable logging on all SMTP receive connectors and examine the logs.
You did not mentioned the version of the exchange server.
It could also be an authenticated relay attack.
Some useful info: http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
0
 
LVL 32

Author Comment

by:DrDamnit
ID: 39930660
Exchange 2010. How do I enable those logs?
0
 
LVL 27

Expert Comment

by:davorin
ID: 39930672
On receive connector(s) properties on general tab set Protocol logging level to verbose.

(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx

Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 32

Author Comment

by:DrDamnit
ID: 39930745
I'll apply this and report back.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931694
I would also install a network sniffer

Microsoft Network Monitor
Wireshark

and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.

DirkMare
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39932826
I am worried some are actually getting out and spamming the world

don't be afraid, be sure. what you are looking at is just the consequence of a spam that failed to reach it's destination, probably because of greylisting  or a server that was temporarily down. most of the spamflow probably wnet through in less than a second and never had a chance to clutter your queues
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question