Solved

exchange 2013 Sending out SPAM

Posted on 2015-01-12
2
682 Views
Last Modified: 2015-01-27
Hi Everyone,
We have an Exchange Server on Server 2012.
Everything has been working great.  But I noticed that somehow either the Server or a workstation got infected and was sending out SPAM.
So email goes out (monitored through the Queue Viewer in Toolbox) and gets stuck because most of it cannot be delivered.
When I look at the body of the message there is no sender, or the sender is blank like <>@mycompany.com
So I'm not sure who is infected.
How can I track down where the email is coming from?

I have:

Shut off all the systems connected to it (small network of 8 workstations)
Shut off the VPN
Scanned all the systems using Malware Bytes (Servers and Workstations)

I admit the Servers were freshly deployed and didn't have their own AV yet.  There is  a Hyper Host and 2 VMs, one the DC the other the Exchange Server.

Microsoft's Exchange Connectivity online tool says the server is not an open relay when I tested email to one of my accounts.

Any suggestions?

Thanks!
0
Comment
Question by:2ndFloor
2 Comments
 
LVL 22

Assisted Solution

by:Nick Rhode
Nick Rhode earned 250 total points
ID: 40545170
No workstations are acting suspicious?  Also what kind of filter do you have prior to mail hitting your exchange server?  Is this NDR spam from your exchange server sending out non delivery requests for non-existing users in the exchange database?  An external mail filter would take care of that by blocking all mail excluding existing users etc.  This type of spam is known a backscatter
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 250 total points
ID: 40545232
That's not spam - that is Backscatter - which means you are not filtering messages for invalid recipients and accept the emails, then when it is determined that the recipient doesn't exist, because your server accepted the message, it HAS to send back a Non-Delivery Report (NDR) message and that is what you are seeing in the queue with the sender as <> which is the administrator.

If you install / configure some Anti-Spam tools and at least enable Recipient Filtering, the problem will go away.

Alternatively, if your Exchange server isn't the 1st server to receive emails for your domain (e.g. you use a 3rd party for spam filtering), then they need to be performing recipient filtering).

Some useful reading:

http://www.msexchange.org/articles-tutorials/exchange-server-2013/security-message-hygiene/anti-spam-and-anti-malware-protection-exchange-2013-part1.html

Alan
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now