Solved

How do I find what network entity is sending mail (and spam)?

Posted on 2014-03-14
6
384 Views
Last Modified: 2014-05-12
An exchange server is full of queues and messages that shouldn't be there. It is not an open relay, but it does (blindly) accept requests from the private LAN because we have multiple automated processes that send email alarms.

I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.

When I look at a message in the queue, I get this:
Identity: Exchange\111871\357777
Subject: Undeliverable: The Best Treatment for Trigger Points
Internet Message ID: <3539d00d-7fa6-448d-96c7-3945dcd0244e@[ourdomain].com>
From Address: <>
Status: Ready
Size (KB): 10
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 3/13/2014 1:47:28 AM
Expiration Time: 3/15/2014 1:47:28 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: Exchange\111871
Recipients:  bounce@newsletters.imatrix.com;2;2;400 4.4.7 Message delayed;0;CN=Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[OURDC],DC=local

Open in new window


Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
0
Comment
Question by:DrDamnit
6 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 39930627
Try to enable logging on all SMTP receive connectors and examine the logs.
You did not mentioned the version of the exchange server.
It could also be an authenticated relay attack.
Some useful info: http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
0
 
LVL 32

Author Comment

by:DrDamnit
ID: 39930660
Exchange 2010. How do I enable those logs?
0
 
LVL 27

Expert Comment

by:davorin
ID: 39930672
On receive connector(s) properties on general tab set Protocol logging level to verbose.

(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx

Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 32

Author Comment

by:DrDamnit
ID: 39930745
I'll apply this and report back.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931694
I would also install a network sniffer

Microsoft Network Monitor
Wireshark

and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.

DirkMare
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39932826
I am worried some are actually getting out and spamming the world

don't be afraid, be sure. what you are looking at is just the consequence of a spam that failed to reach it's destination, probably because of greylisting  or a server that was temporarily down. most of the spamflow probably wnet through in less than a second and never had a chance to clutter your queues
0

Featured Post

Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This video discusses moving either the default database or any database to a new volume.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now