Solved

exchange 2003 Distribution Group sends spam

Posted on 2014-11-25
13
109 Views
Last Modified: 2014-12-02
I think my one of exchange 2003 Distribution Group sends spam .There are 4 persons in this group.I removed all from list.
But anyway NDR mail from otherside server comes.
Exchasnge server waitingtools shows notthing only logs says mail sended.after that Mail delivery system mail comes.

Idea? what can i do?
0
Comment
Question by:apollo-13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 35

Accepted Solution

by:
Kimputer earned 313 total points
ID: 40464015
Can you show a bit of that log that says the spam mail was sent from your side?
0
 
LVL 10

Assisted Solution

by:Marshal Hubs
Marshal Hubs earned 63 total points
ID: 40464027
Please go though this resource http://technet.microsoft.com/en-us/library/aa996956(v=exchg.65).aspx to know how to set restriction on Distribution Group to avoid Spam
0
 

Author Comment

by:apollo-13
ID: 40464057
which options do i need to choose here?

-Click From everyone to allow authenticated users to send mail to the selected distribution list.
-Click Only from to specify a select set of authenticated users or groups that can send messages to the selected distribution list. Click Add to specify the users or groups you want to allow to send messages to this distribution list.
-Click From everyone except to allow all authenticated users but a select set to send to the selected distribution list. Click Add to specify the list of users or groups that you do not want to allow to send messages to this distribution list.
Leave From authenticated users only cleared. If you leave this check box cleared, the following options are implemented as such:

Click From everyone to allow anyone to send messages to the selected distribution list. This includes anonymous users from the Internet.
Click Only from to specify a select set of users or groups that can send messages to the selected distribution list. Click Add to specify the users or groups you want to allow to send messages to this distribution list.
Click From everyone except to allow everyone but a select set of users or groups to send to the selected distribution list. Click Add to specify the list of users or groups you do not want to allow to send messages to this distribution list. These users or groups can be authenticated users or anonymous users.
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40464303
This solution is for INCOMING spam only. You told us about OUTGOING spam, correct ? If so, provide the log file which proves this and give us more info on how to solve it.
0
 

Author Comment

by:apollo-13
ID: 40466316
yes OUTGOING spam ,I think because i get NDR mail from other server.
0
 

Author Comment

by:apollo-13
ID: 40466319
but logs says always other mails address but changehiereverytime@mail.ru
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40466375
Do you have a part of the log you can show us? Or you only have the NDR?
0
 

Author Comment

by:apollo-13
ID: 40468621
NDR:
This is the mail system at host abk.adi-biznes-karta.ru.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<maclub@mail.ru>: host mxs.mail.ru[217.69.139.150] said: 550 spam message
    rejected. Please visit
    http://help.mail.ru/notspam-support/id?c=q6j9jqT57VUACSR4hBoWsQXBjCPUMdQhYKKcj1vWS9AIAAAA4JkAAPJdWyQ~
    or  report details to abuse@corp.mail.ru. Error code:
    8EFDA8AB55EDF9A478240900B1161A84238CC10521D431D48F9CA260D04BD65B. ID:
    00000008000099E0245B5DF2. (in reply to end of DATA command)
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40468920
You are confusing an NDR as a log for sending. An NDR doesn't mean you actually sent it. Therefore I asked for a piece or your SMTP log where you contacted this mxs.mail.ru server.
Please note, you can receive thousand or even millions of NDR's, even if you never sent spam.
NDR are based on the FROM header. As you may know, ANYONE on the Internet can set this FROM header in his email client, and there are usually no checks performed for that validity. So if I set my FROM address to that distribution address, then send out spam to mail.ru, YOU will get the NDR!
To know if you sent out spam or not, you have to check your SMTP logs for outgoing connections to mxs.mail.ru, OR the NDR has to be clear between which two servers it was talking. In this case  abk.adi-biznes-karta.ru was talking to mxs.mail.ru. If you do not recognise  abk.adi-biznes-karta.ru and have no contact with them and you never heard of them, it's clear that mailserver received the spam from another user (who has access to their system). You can just ignore this NDR, or you can force the sysadmin of that server to start investigating this matter.
If  abk.adi-biznes-karta.ru is YOUR SMTP relay, then you are probably sending out spam somehow, if not through the server, then through some Outlook client or maybe even a spambot in your network.
So now please let us know if you have any knowledge of this  abk.adi-biznes-karta.ru server?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 124 total points
ID: 40469594
I wonder if this is just an NDR backscatter attack. :)

What are we using for antispam?
0
 

Author Comment

by:apollo-13
ID: 40470070
yes it is
local we use nothing ,we use ISP Spam filter ,but i think this is from local
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40470213
If you think it's local, why didn't you answer this question I posted before??
If  abk.adi-biznes-karta.ru is YOUR SMTP relay, then you are probably sending out spam somehow, if not through the server, then through some Outlook client or maybe even a spambot in your network.
 So now please let us know if you have any knowledge of this  abk.adi-biznes-karta.ru server?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 124 total points
ID: 40470459
we use ISP Spam filter

How are you using your ISPs spam filter? Are your MX records pointing to them? Then your ISP forwards to you?

Is this a paid anti-spam solution or something free your ISP offers.

If free, its probably not all that good. I would recommend looking at Exchange Online Protection from Microsoft. Runs $1 per user / month and gets the job done. It will prevent NDR backscatter attacks. They also have a free trial.
http://products.office.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
EXCH2013 reports 4 40
Exec Database for Exchange 5 53
Migrating from Exchange 2010 to 2013 2 70
Exchange 2010 certificate warning. 5 33
Utilizing an array to gracefully append to a list of EmailAddresses
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question