Avatar of DrDamnit
DrDamnitFlag for United States of America asked on

How do I find what network entity is sending mail (and spam)?

An exchange server is full of queues and messages that shouldn't be there. It is not an open relay, but it does (blindly) accept requests from the private LAN because we have multiple automated processes that send email alarms.

I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.

When I look at a message in the queue, I get this:
Identity: Exchange\111871\357777
Subject: Undeliverable: The Best Treatment for Trigger Points
Internet Message ID: <3539d00d-7fa6-448d-96c7-3945dcd0244e@[ourdomain].com>
From Address: <>
Status: Ready
Size (KB): 10
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 3/13/2014 1:47:28 AM
Expiration Time: 3/15/2014 1:47:28 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: Exchange\111871
Recipients:  bounce@newsletters.imatrix.com;2;2;400 4.4.7 Message delayed;0;CN=Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[OURDC],DC=local

Open in new window


Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
ExchangeEmail ServersWindows Server 2012

Avatar of undefined
Last Comment
skullnobrains

8/22/2022 - Mon
davorin

Try to enable logging on all SMTP receive connectors and examine the logs.
You did not mentioned the version of the exchange server.
It could also be an authenticated relay attack.
Some useful info: http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
ASKER
DrDamnit

Exchange 2010. How do I enable those logs?
davorin

On receive connector(s) properties on general tab set Protocol logging level to verbose.

(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx

Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
DrDamnit

I'll apply this and report back.
Dirk Mare

I would also install a network sniffer

Microsoft Network Monitor
Wireshark

and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.

DirkMare
ASKER CERTIFIED SOLUTION
skullnobrains

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question