?
Solved

How do I find what network entity is sending mail (and spam)?

Posted on 2014-03-14
6
Medium Priority
?
394 Views
Last Modified: 2014-05-12
An exchange server is full of queues and messages that shouldn't be there. It is not an open relay, but it does (blindly) accept requests from the private LAN because we have multiple automated processes that send email alarms.

I think someone has an infected laptop that is coming in and out of the building or has spyware somewhere.

When I look at a message in the queue, I get this:
Identity: Exchange\111871\357777
Subject: Undeliverable: The Best Treatment for Trigger Points
Internet Message ID: <3539d00d-7fa6-448d-96c7-3945dcd0244e@[ourdomain].com>
From Address: <>
Status: Ready
Size (KB): 10
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 3/13/2014 1:47:28 AM
Expiration Time: 3/15/2014 1:47:28 AM
Last Error: 400 4.4.7 Message delayed
Queue ID: Exchange\111871
Recipients:  bounce@newsletters.imatrix.com;2;2;400 4.4.7 Message delayed;0;CN=Internet,CN=Connections,CN=Exchange Routing Group (DWBGZMFD01QNBJR),CN=Routing Groups,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=[OURDC],DC=local

Open in new window


Is there any way I can track this down? The messages that are in the queue are delayed, but I am worried some are actually getting out and spamming the world.
0
Comment
Question by:DrDamnit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 27

Expert Comment

by:davorin
ID: 39930627
Try to enable logging on all SMTP receive connectors and examine the logs.
You did not mentioned the version of the exchange server.
It could also be an authenticated relay attack.
Some useful info: http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
0
 
LVL 32

Author Comment

by:DrDamnit
ID: 39930660
Exchange 2010. How do I enable those logs?
0
 
LVL 27

Expert Comment

by:davorin
ID: 39930672
On receive connector(s) properties on general tab set Protocol logging level to verbose.

(EMC step 2) http://technet.microsoft.com/en-us/library/bb690954(v=exchg.141).aspx

Here you can find location of logs:
http://technet.microsoft.com/en-us/library/aa997624.aspx
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 32

Author Comment

by:DrDamnit
ID: 39930745
I'll apply this and report back.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931694
I would also install a network sniffer

Microsoft Network Monitor
Wireshark

and set it to monitor traffic on port 25 (SMTP) you should be able to identify the culprit workstation by IP address.

DirkMare
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 2000 total points
ID: 39932826
I am worried some are actually getting out and spamming the world

don't be afraid, be sure. what you are looking at is just the consequence of a spam that failed to reach it's destination, probably because of greylisting  or a server that was temporarily down. most of the spamflow probably wnet through in less than a second and never had a chance to clutter your queues
0

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question