Solved

Finding Rogue SPAM sender on Exchange 2010

Posted on 2015-02-24
22
195 Views
Last Modified: 2015-03-08
There is a system sending spam through our Exchange 2010 server. We know the recipient addresses and the subjects of the bad emails but the sender is being masked and the IP shows as 255.255.255.255 in the queue. I've enable verbose logging on the connectors but I can't figure out how to identify how the SPAM messages are entering our mail server.

How should I attack this?
0
Comment
Question by:Cardlytics
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 3
22 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40629030
255.255.255.255 is a broadcast address.

If you run an ARP -a command from a command prompt, you may get a MAC address you can use to track down the system.
0
 

Author Comment

by:Cardlytics
ID: 40629040
We've got over 230 clients. So the results of the arp -a wouldn't tell us much I don't think. It'll be huge, but I'll try that and take a peek.
0
 

Author Comment

by:Cardlytics
ID: 40629081
Here is an example of a DSN we are getting :

Identity: JSEXCH01\253518\7371664
Subject: Undeliverable: Cancun-- On Sale
Internet Message ID: <86bf8185-5fc6-4ade-861c-435d1a8c1b41@mycompany.com>
From Address: <>
Status: Retry
Size (KB): 14
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 2/24/2015 3:07:33 PM
Expiration Time: 2/26/2015 3:07:33 PM
Last Error: 451 Cannot connect to domain:retioe.eu - psmtp
Queue ID: JSEXCH01\253518
Recipients:  SpringBreakTravel@retioe.eu
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 62

Expert Comment

by:gheist
ID: 40629195
It is a Delivery Status Notification aka DSN
Generated by your bad malice spammer called Exchange Server.
0
 

Author Comment

by:Cardlytics
ID: 40629358
Thanks for the quick answer.
@gheist... I understand that is what the error indicates. But it doesn't tell me who the spammer is. This is the core of what we are trying to do.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629378
YOUR SYSTEM GENERATES THE MESSAGE
YOU ARE THE SPAMMER
0
 

Author Comment

by:Cardlytics
ID: 40629392
@gheist
I understand that we are the spammer. I am trying to find the PC or server in our environment that is sending the bad messages. I'm sorry I wasn't more clear on that. I just need to locate the server on our network that is forwarding mail through our server. I need guidance from you on how to find the source inside of my network.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631144
Track message.
First line shows message ID from a message that generated NDR
Track that.

You should not accept mails to nonexistent mailboxes anyway.
0
 

Author Comment

by:Cardlytics
ID: 40631259
@gheist

To track a message I believe you have to have the sender's mailbox. the NDR shows the message ID and the recipient but since the sender is blank I'm not sure how to use the tracking tool. Can you clarify the steps I need to take on that?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631287
First log message tells for which message NDR was generated.
0
 

Author Comment

by:Cardlytics
ID: 40631313
I'm googling how to do message track with only the ID. The GUI requires you to have a senders mailbox. Looking into powershell commands for the message tracking.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631332
It does not require any field.
Especially users on gmail do not have exchange mailboxes...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40631337
[gheist] you should probably just stop - it's obvious you're just going off half-cocked.  Have you read anything the OP has posted?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631349
0
 

Author Comment

by:Cardlytics
ID: 40631447
I'm able to use Powershell to track a message by messageID.
It still reports a blank sender info so I can't figure out who is sending the spam.

See results below :

[PS] C:\Windows\system32>Get-MessageTrackingLog -messageid "<772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>" | FL
*


PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:17:47 PM
mycompanyientIp                :
mycompanyientHostname          :
ServerIp                :
ServerHostname          : JSEXCH01
SourceContext           : Failure
ConnectorId             :
Source                  : DSN
EventId                 : DSN
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {}
TotalBytes              : 37139
RecipientCount          : 1
RelatedRecipientAddress :
Reference               : {<750828c42b29bc76fc919623f2b4d68b@m.securefloor.gen.in>}
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             :
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:24:22 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:25:22 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:29:01 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:30:01 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :



[PS] C:\Windows\system32>
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40631561
Is it possible "jsexch01.mycompany.local" itself has been compromised?
0
 

Author Comment

by:Cardlytics
ID: 40631634
I guess it is conceivable. We suspect it is a laptop because we see spikes early in the morning that go away at lunch time and sometimes come back later in the day. It is hard to say because it is peaky. It comes and goes in spurts, but that is how BOTS work. We ran virus scans that found nothing. Past that I am not sure what to check.
I don't see any extra services or processes running that jump out at me as being fishy. ????
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631653
Reference" in first message contains original MessageID to trace.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
ID: 40642685
Closing ticket without a solution. We ended up locking down the exchange servers to only authorized accounts. It was the best thing to do for security reasons anyway. We just didn't want to have to do it in a rush.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40644012
It should have been like that since beginning btw...
0
 

Author Closing Comment

by:Cardlytics
ID: 40652306
No solution found to the actual issue.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40652400
If you run any of microsoft's exchange configuration analyzers it will tell you yours was misconfigured..
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question