Solved

exchange 2013 Sending out SPAM

Posted on 2015-01-12
2
882 Views
Last Modified: 2015-01-27
Hi Everyone,
We have an Exchange Server on Server 2012.
Everything has been working great.  But I noticed that somehow either the Server or a workstation got infected and was sending out SPAM.
So email goes out (monitored through the Queue Viewer in Toolbox) and gets stuck because most of it cannot be delivered.
When I look at the body of the message there is no sender, or the sender is blank like <>@mycompany.com
So I'm not sure who is infected.
How can I track down where the email is coming from?

I have:

Shut off all the systems connected to it (small network of 8 workstations)
Shut off the VPN
Scanned all the systems using Malware Bytes (Servers and Workstations)

I admit the Servers were freshly deployed and didn't have their own AV yet.  There is  a Hyper Host and 2 VMs, one the DC the other the Exchange Server.

Microsoft's Exchange Connectivity online tool says the server is not an open relay when I tested email to one of my accounts.

Any suggestions?

Thanks!
0
Comment
Question by:2ndFloor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 250 total points
ID: 40545170
No workstations are acting suspicious?  Also what kind of filter do you have prior to mail hitting your exchange server?  Is this NDR spam from your exchange server sending out non delivery requests for non-existing users in the exchange database?  An external mail filter would take care of that by blocking all mail excluding existing users etc.  This type of spam is known a backscatter
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 40545232
That's not spam - that is Backscatter - which means you are not filtering messages for invalid recipients and accept the emails, then when it is determined that the recipient doesn't exist, because your server accepted the message, it HAS to send back a Non-Delivery Report (NDR) message and that is what you are seeing in the queue with the sender as <> which is the administrator.

If you install / configure some Anti-Spam tools and at least enable Recipient Filtering, the problem will go away.

Alternatively, if your Exchange server isn't the 1st server to receive emails for your domain (e.g. you use a 3rd party for spam filtering), then they need to be performing recipient filtering).

Some useful reading:

http://www.msexchange.org/articles-tutorials/exchange-server-2013/security-message-hygiene/anti-spam-and-anti-malware-protection-exchange-2013-part1.html

Alan
0

Featured Post

Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
This video discusses moving either the default database or any database to a new volume.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question