Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

exchange 2013 Sending out SPAM

Posted on 2015-01-12
2
Medium Priority
?
923 Views
Last Modified: 2015-01-27
Hi Everyone,
We have an Exchange Server on Server 2012.
Everything has been working great.  But I noticed that somehow either the Server or a workstation got infected and was sending out SPAM.
So email goes out (monitored through the Queue Viewer in Toolbox) and gets stuck because most of it cannot be delivered.
When I look at the body of the message there is no sender, or the sender is blank like <>@mycompany.com
So I'm not sure who is infected.
How can I track down where the email is coming from?

I have:

Shut off all the systems connected to it (small network of 8 workstations)
Shut off the VPN
Scanned all the systems using Malware Bytes (Servers and Workstations)

I admit the Servers were freshly deployed and didn't have their own AV yet.  There is  a Hyper Host and 2 VMs, one the DC the other the Exchange Server.

Microsoft's Exchange Connectivity online tool says the server is not an open relay when I tested email to one of my accounts.

Any suggestions?

Thanks!
0
Comment
Question by:2ndFloor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 1000 total points
ID: 40545170
No workstations are acting suspicious?  Also what kind of filter do you have prior to mail hitting your exchange server?  Is this NDR spam from your exchange server sending out non delivery requests for non-existing users in the exchange database?  An external mail filter would take care of that by blocking all mail excluding existing users etc.  This type of spam is known a backscatter
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 40545232
That's not spam - that is Backscatter - which means you are not filtering messages for invalid recipients and accept the emails, then when it is determined that the recipient doesn't exist, because your server accepted the message, it HAS to send back a Non-Delivery Report (NDR) message and that is what you are seeing in the queue with the sender as <> which is the administrator.

If you install / configure some Anti-Spam tools and at least enable Recipient Filtering, the problem will go away.

Alternatively, if your Exchange server isn't the 1st server to receive emails for your domain (e.g. you use a 3rd party for spam filtering), then they need to be performing recipient filtering).

Some useful reading:

http://www.msexchange.org/articles-tutorials/exchange-server-2013/security-message-hygiene/anti-spam-and-anti-malware-protection-exchange-2013-part1.html

Alan
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines some of the reasons why an email message gets flagged as spam on a recipient's end.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question