Finding Rogue SPAM sender on Exchange 2010

There is a system sending spam through our Exchange 2010 server. We know the recipient addresses and the subjects of the bad emails but the sender is being masked and the IP shows as 255.255.255.255 in the queue. I've enable verbose logging on the connectors but I can't figure out how to identify how the SPAM messages are entering our mail server.

How should I attack this?
CardlyticsAsked:
Who is Participating?
 
CardlyticsConnect With a Mentor Author Commented:
Closing ticket without a solution. We ended up locking down the exchange servers to only authorized accounts. It was the best thing to do for security reasons anyway. We just didn't want to have to do it in a rush.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
255.255.255.255 is a broadcast address.

If you run an ARP -a command from a command prompt, you may get a MAC address you can use to track down the system.
0
 
CardlyticsAuthor Commented:
We've got over 230 clients. So the results of the arp -a wouldn't tell us much I don't think. It'll be huge, but I'll try that and take a peek.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
CardlyticsAuthor Commented:
Here is an example of a DSN we are getting :

Identity: JSEXCH01\253518\7371664
Subject: Undeliverable: Cancun-- On Sale
Internet Message ID: <86bf8185-5fc6-4ade-861c-435d1a8c1b41@mycompany.com>
From Address: <>
Status: Retry
Size (KB): 14
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 2/24/2015 3:07:33 PM
Expiration Time: 2/26/2015 3:07:33 PM
Last Error: 451 Cannot connect to domain:retioe.eu - psmtp
Queue ID: JSEXCH01\253518
Recipients:  SpringBreakTravel@retioe.eu
0
 
gheistCommented:
It is a Delivery Status Notification aka DSN
Generated by your bad malice spammer called Exchange Server.
0
 
CardlyticsAuthor Commented:
Thanks for the quick answer.
@gheist... I understand that is what the error indicates. But it doesn't tell me who the spammer is. This is the core of what we are trying to do.
0
 
gheistCommented:
YOUR SYSTEM GENERATES THE MESSAGE
YOU ARE THE SPAMMER
0
 
CardlyticsAuthor Commented:
@gheist
I understand that we are the spammer. I am trying to find the PC or server in our environment that is sending the bad messages. I'm sorry I wasn't more clear on that. I just need to locate the server on our network that is forwarding mail through our server. I need guidance from you on how to find the source inside of my network.
0
 
gheistCommented:
Track message.
First line shows message ID from a message that generated NDR
Track that.

You should not accept mails to nonexistent mailboxes anyway.
0
 
CardlyticsAuthor Commented:
@gheist

To track a message I believe you have to have the sender's mailbox. the NDR shows the message ID and the recipient but since the sender is blank I'm not sure how to use the tracking tool. Can you clarify the steps I need to take on that?
0
 
gheistCommented:
First log message tells for which message NDR was generated.
0
 
CardlyticsAuthor Commented:
I'm googling how to do message track with only the ID. The GUI requires you to have a senders mailbox. Looking into powershell commands for the message tracking.
0
 
gheistCommented:
It does not require any field.
Especially users on gmail do not have exchange mailboxes...
0
 
Paul MacDonaldDirector, Information SystemsCommented:
[gheist] you should probably just stop - it's obvious you're just going off half-cocked.  Have you read anything the OP has posted?
0
 
gheistCommented:
0
 
CardlyticsAuthor Commented:
I'm able to use Powershell to track a message by messageID.
It still reports a blank sender info so I can't figure out who is sending the spam.

See results below :

[PS] C:\Windows\system32>Get-MessageTrackingLog -messageid "<772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>" | FL
*


PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:17:47 PM
mycompanyientIp                :
mycompanyientHostname          :
ServerIp                :
ServerHostname          : JSEXCH01
SourceContext           : Failure
ConnectorId             :
Source                  : DSN
EventId                 : DSN
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {}
TotalBytes              : 37139
RecipientCount          : 1
RelatedRecipientAddress :
Reference               : {<750828c42b29bc76fc919623f2b4d68b@m.securefloor.gen.in>}
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             :
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:24:22 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:25:22 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:29:01 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:30:01 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :



[PS] C:\Windows\system32>
0
 
Paul MacDonaldDirector, Information SystemsCommented:
Is it possible "jsexch01.mycompany.local" itself has been compromised?
0
 
CardlyticsAuthor Commented:
I guess it is conceivable. We suspect it is a laptop because we see spikes early in the morning that go away at lunch time and sometimes come back later in the day. It is hard to say because it is peaky. It comes and goes in spurts, but that is how BOTS work. We ran virus scans that found nothing. Past that I am not sure what to check.
I don't see any extra services or processes running that jump out at me as being fishy. ????
0
 
gheistCommented:
Reference" in first message contains original MessageID to trace.
0
 
gheistCommented:
It should have been like that since beginning btw...
0
 
CardlyticsAuthor Commented:
No solution found to the actual issue.
0
 
gheistCommented:
If you run any of microsoft's exchange configuration analyzers it will tell you yours was misconfigured..
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.