Solved

Finding Rogue SPAM sender on Exchange 2010

Posted on 2015-02-24
22
139 Views
Last Modified: 2015-03-08
There is a system sending spam through our Exchange 2010 server. We know the recipient addresses and the subjects of the bad emails but the sender is being masked and the IP shows as 255.255.255.255 in the queue. I've enable verbose logging on the connectors but I can't figure out how to identify how the SPAM messages are entering our mail server.

How should I attack this?
0
Comment
Question by:Cardlytics
  • 10
  • 9
  • 3
22 Comments
 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
255.255.255.255 is a broadcast address.

If you run an ARP -a command from a command prompt, you may get a MAC address you can use to track down the system.
0
 

Author Comment

by:Cardlytics
Comment Utility
We've got over 230 clients. So the results of the arp -a wouldn't tell us much I don't think. It'll be huge, but I'll try that and take a peek.
0
 

Author Comment

by:Cardlytics
Comment Utility
Here is an example of a DSN we are getting :

Identity: JSEXCH01\253518\7371664
Subject: Undeliverable: Cancun-- On Sale
Internet Message ID: <86bf8185-5fc6-4ade-861c-435d1a8c1b41@mycompany.com>
From Address: <>
Status: Retry
Size (KB): 14
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 2/24/2015 3:07:33 PM
Expiration Time: 2/26/2015 3:07:33 PM
Last Error: 451 Cannot connect to domain:retioe.eu - psmtp
Queue ID: JSEXCH01\253518
Recipients:  SpringBreakTravel@retioe.eu
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
It is a Delivery Status Notification aka DSN
Generated by your bad malice spammer called Exchange Server.
0
 

Author Comment

by:Cardlytics
Comment Utility
Thanks for the quick answer.
@gheist... I understand that is what the error indicates. But it doesn't tell me who the spammer is. This is the core of what we are trying to do.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
YOUR SYSTEM GENERATES THE MESSAGE
YOU ARE THE SPAMMER
0
 

Author Comment

by:Cardlytics
Comment Utility
@gheist
I understand that we are the spammer. I am trying to find the PC or server in our environment that is sending the bad messages. I'm sorry I wasn't more clear on that. I just need to locate the server on our network that is forwarding mail through our server. I need guidance from you on how to find the source inside of my network.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Track message.
First line shows message ID from a message that generated NDR
Track that.

You should not accept mails to nonexistent mailboxes anyway.
0
 

Author Comment

by:Cardlytics
Comment Utility
@gheist

To track a message I believe you have to have the sender's mailbox. the NDR shows the message ID and the recipient but since the sender is blank I'm not sure how to use the tracking tool. Can you clarify the steps I need to take on that?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
First log message tells for which message NDR was generated.
0
 

Author Comment

by:Cardlytics
Comment Utility
I'm googling how to do message track with only the ID. The GUI requires you to have a senders mailbox. Looking into powershell commands for the message tracking.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 61

Expert Comment

by:gheist
Comment Utility
It does not require any field.
Especially users on gmail do not have exchange mailboxes...
0
 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
[gheist] you should probably just stop - it's obvious you're just going off half-cocked.  Have you read anything the OP has posted?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
0
 

Author Comment

by:Cardlytics
Comment Utility
I'm able to use Powershell to track a message by messageID.
It still reports a blank sender info so I can't figure out who is sending the spam.

See results below :

[PS] C:\Windows\system32>Get-MessageTrackingLog -messageid "<772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>" | FL
*


PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:17:47 PM
mycompanyientIp                :
mycompanyientHostname          :
ServerIp                :
ServerHostname          : JSEXCH01
SourceContext           : Failure
ConnectorId             :
Source                  : DSN
EventId                 : DSN
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {}
TotalBytes              : 37139
RecipientCount          : 1
RelatedRecipientAddress :
Reference               : {<750828c42b29bc76fc919623f2b4d68b@m.securefloor.gen.in>}
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             :
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:24:22 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:25:22 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:29:01 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:30:01 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :



[PS] C:\Windows\system32>
0
 
LVL 33

Expert Comment

by:paulmacd
Comment Utility
Is it possible "jsexch01.mycompany.local" itself has been compromised?
0
 

Author Comment

by:Cardlytics
Comment Utility
I guess it is conceivable. We suspect it is a laptop because we see spikes early in the morning that go away at lunch time and sometimes come back later in the day. It is hard to say because it is peaky. It comes and goes in spurts, but that is how BOTS work. We ran virus scans that found nothing. Past that I am not sure what to check.
I don't see any extra services or processes running that jump out at me as being fishy. ????
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Reference" in first message contains original MessageID to trace.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
Comment Utility
Closing ticket without a solution. We ended up locking down the exchange servers to only authorized accounts. It was the best thing to do for security reasons anyway. We just didn't want to have to do it in a rush.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
It should have been like that since beginning btw...
0
 

Author Closing Comment

by:Cardlytics
Comment Utility
No solution found to the actual issue.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
If you run any of microsoft's exchange configuration analyzers it will tell you yours was misconfigured..
0

Featured Post

Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now