Solved

exchange 2003 Distribution Group sends spam

Posted on 2014-11-25
13
112 Views
Last Modified: 2014-12-02
I think my one of exchange 2003 Distribution Group sends spam .There are 4 persons in this group.I removed all from list.
But anyway NDR mail from otherside server comes.
Exchasnge server waitingtools shows notthing only logs says mail sended.after that Mail delivery system mail comes.

Idea? what can i do?
0
Comment
Question by:apollo-13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 35

Accepted Solution

by:
Kimputer earned 313 total points
ID: 40464015
Can you show a bit of that log that says the spam mail was sent from your side?
0
 
LVL 10

Assisted Solution

by:Marshal Hubs
Marshal Hubs earned 63 total points
ID: 40464027
Please go though this resource http://technet.microsoft.com/en-us/library/aa996956(v=exchg.65).aspx to know how to set restriction on Distribution Group to avoid Spam
0
 

Author Comment

by:apollo-13
ID: 40464057
which options do i need to choose here?

-Click From everyone to allow authenticated users to send mail to the selected distribution list.
-Click Only from to specify a select set of authenticated users or groups that can send messages to the selected distribution list. Click Add to specify the users or groups you want to allow to send messages to this distribution list.
-Click From everyone except to allow all authenticated users but a select set to send to the selected distribution list. Click Add to specify the list of users or groups that you do not want to allow to send messages to this distribution list.
Leave From authenticated users only cleared. If you leave this check box cleared, the following options are implemented as such:

Click From everyone to allow anyone to send messages to the selected distribution list. This includes anonymous users from the Internet.
Click Only from to specify a select set of users or groups that can send messages to the selected distribution list. Click Add to specify the users or groups you want to allow to send messages to this distribution list.
Click From everyone except to allow everyone but a select set of users or groups to send to the selected distribution list. Click Add to specify the list of users or groups you do not want to allow to send messages to this distribution list. These users or groups can be authenticated users or anonymous users.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40464303
This solution is for INCOMING spam only. You told us about OUTGOING spam, correct ? If so, provide the log file which proves this and give us more info on how to solve it.
0
 

Author Comment

by:apollo-13
ID: 40466316
yes OUTGOING spam ,I think because i get NDR mail from other server.
0
 

Author Comment

by:apollo-13
ID: 40466319
but logs says always other mails address but changehiereverytime@mail.ru
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40466375
Do you have a part of the log you can show us? Or you only have the NDR?
0
 

Author Comment

by:apollo-13
ID: 40468621
NDR:
This is the mail system at host abk.adi-biznes-karta.ru.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<maclub@mail.ru>: host mxs.mail.ru[217.69.139.150] said: 550 spam message
    rejected. Please visit
    http://help.mail.ru/notspam-support/id?c=q6j9jqT57VUACSR4hBoWsQXBjCPUMdQhYKKcj1vWS9AIAAAA4JkAAPJdWyQ~
    or  report details to abuse@corp.mail.ru. Error code:
    8EFDA8AB55EDF9A478240900B1161A84238CC10521D431D48F9CA260D04BD65B. ID:
    00000008000099E0245B5DF2. (in reply to end of DATA command)
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40468920
You are confusing an NDR as a log for sending. An NDR doesn't mean you actually sent it. Therefore I asked for a piece or your SMTP log where you contacted this mxs.mail.ru server.
Please note, you can receive thousand or even millions of NDR's, even if you never sent spam.
NDR are based on the FROM header. As you may know, ANYONE on the Internet can set this FROM header in his email client, and there are usually no checks performed for that validity. So if I set my FROM address to that distribution address, then send out spam to mail.ru, YOU will get the NDR!
To know if you sent out spam or not, you have to check your SMTP logs for outgoing connections to mxs.mail.ru, OR the NDR has to be clear between which two servers it was talking. In this case  abk.adi-biznes-karta.ru was talking to mxs.mail.ru. If you do not recognise  abk.adi-biznes-karta.ru and have no contact with them and you never heard of them, it's clear that mailserver received the spam from another user (who has access to their system). You can just ignore this NDR, or you can force the sysadmin of that server to start investigating this matter.
If  abk.adi-biznes-karta.ru is YOUR SMTP relay, then you are probably sending out spam somehow, if not through the server, then through some Outlook client or maybe even a spambot in your network.
So now please let us know if you have any knowledge of this  abk.adi-biznes-karta.ru server?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 124 total points
ID: 40469594
I wonder if this is just an NDR backscatter attack. :)

What are we using for antispam?
0
 

Author Comment

by:apollo-13
ID: 40470070
yes it is
local we use nothing ,we use ISP Spam filter ,but i think this is from local
0
 
LVL 35

Assisted Solution

by:Kimputer
Kimputer earned 313 total points
ID: 40470213
If you think it's local, why didn't you answer this question I posted before??
If  abk.adi-biznes-karta.ru is YOUR SMTP relay, then you are probably sending out spam somehow, if not through the server, then through some Outlook client or maybe even a spambot in your network.
 So now please let us know if you have any knowledge of this  abk.adi-biznes-karta.ru server?
0
 
LVL 31

Assisted Solution

by:Gareth Gudger
Gareth Gudger earned 124 total points
ID: 40470459
we use ISP Spam filter

How are you using your ISPs spam filter? Are your MX records pointing to them? Then your ISP forwards to you?

Is this a paid anti-spam solution or something free your ISP offers.

If free, its probably not all that good. I would recommend looking at Exchange Online Protection from Microsoft. Runs $1 per user / month and gets the job done. It will prevent NDR backscatter attacks. They also have a free trial.
http://products.office.com/en-us/exchange/microsoft-exchange-online-protection-email-filter-and-anti-spam-protection-email-security-email-spam
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question