Solved

exchange 2013 Sending out SPAM

Posted on 2015-01-12
2
811 Views
Last Modified: 2015-01-27
Hi Everyone,
We have an Exchange Server on Server 2012.
Everything has been working great.  But I noticed that somehow either the Server or a workstation got infected and was sending out SPAM.
So email goes out (monitored through the Queue Viewer in Toolbox) and gets stuck because most of it cannot be delivered.
When I look at the body of the message there is no sender, or the sender is blank like <>@mycompany.com
So I'm not sure who is infected.
How can I track down where the email is coming from?

I have:

Shut off all the systems connected to it (small network of 8 workstations)
Shut off the VPN
Scanned all the systems using Malware Bytes (Servers and Workstations)

I admit the Servers were freshly deployed and didn't have their own AV yet.  There is  a Hyper Host and 2 VMs, one the DC the other the Exchange Server.

Microsoft's Exchange Connectivity online tool says the server is not an open relay when I tested email to one of my accounts.

Any suggestions?

Thanks!
0
Comment
Question by:2ndFloor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 250 total points
ID: 40545170
No workstations are acting suspicious?  Also what kind of filter do you have prior to mail hitting your exchange server?  Is this NDR spam from your exchange server sending out non delivery requests for non-existing users in the exchange database?  An external mail filter would take care of that by blocking all mail excluding existing users etc.  This type of spam is known a backscatter
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 40545232
That's not spam - that is Backscatter - which means you are not filtering messages for invalid recipients and accept the emails, then when it is determined that the recipient doesn't exist, because your server accepted the message, it HAS to send back a Non-Delivery Report (NDR) message and that is what you are seeing in the queue with the sender as <> which is the administrator.

If you install / configure some Anti-Spam tools and at least enable Recipient Filtering, the problem will go away.

Alternatively, if your Exchange server isn't the 1st server to receive emails for your domain (e.g. you use a 3rd party for spam filtering), then they need to be performing recipient filtering).

Some useful reading:

http://www.msexchange.org/articles-tutorials/exchange-server-2013/security-message-hygiene/anti-spam-and-anti-malware-protection-exchange-2013-part1.html

Alan
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question