How do I find what network entity is sending mail (and spam)?
An exchange server is full of queues and messages that shouldn't be there. It is not an open relay, but it does (blindly) accept requests from the private LAN because we have multiple automated processes that send email alarms.
I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.
When I look at a message in the queue, I get this:
Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.
When I look at a message in the queue, I get this:
Identity: Exchange\111871\357777
Subject: Undeliverable: The Best Treatment for Trigger Points
Internet Message ID: <3539d00d-7fa6-448d-96c7-3945dcd0244e@[ourdomain].com>
From Address: <>
Status: Ready
Size (KB): 10
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 3/13/2014 1:47:28 AM
Expiration Time: 3/15/2014 1:47:28 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: Exchange\111871
Recipients: bounce@newsletters.imatrix.com;2;2;400 4.4.7 Message delayed;0;CN=Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[OURDC],DC=local
Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
Last Comment
ASKER
Exchange 2010. How do I enable those logs?
On receive connector(s) properties on general tab set Protocol logging level to verbose.
(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx
Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx
Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
ASKER
I'll apply this and report back.
I would also install a network sniffer
Microsoft Network Monitor
Wireshark
and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.
DirkMare
Microsoft Network Monitor
Wireshark
and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.
DirkMare
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Exchange
Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.
213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
You did not mentioned the version of the exchange server.
It could also be an authenticated relay attack.
Some useful info: http://exchange.sembee.info/2003/smtp/spam-cleanup.asp