Solved

Finding Rogue SPAM sender on Exchange 2010

Posted on 2015-02-24
22
183 Views
Last Modified: 2015-03-08
There is a system sending spam through our Exchange 2010 server. We know the recipient addresses and the subjects of the bad emails but the sender is being masked and the IP shows as 255.255.255.255 in the queue. I've enable verbose logging on the connectors but I can't figure out how to identify how the SPAM messages are entering our mail server.

How should I attack this?
0
Comment
Question by:Cardlytics
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
  • 3
22 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40629030
255.255.255.255 is a broadcast address.

If you run an ARP -a command from a command prompt, you may get a MAC address you can use to track down the system.
0
 

Author Comment

by:Cardlytics
ID: 40629040
We've got over 230 clients. So the results of the arp -a wouldn't tell us much I don't think. It'll be huge, but I'll try that and take a peek.
0
 

Author Comment

by:Cardlytics
ID: 40629081
Here is an example of a DSN we are getting :

Identity: JSEXCH01\253518\7371664
Subject: Undeliverable: Cancun-- On Sale
Internet Message ID: <86bf8185-5fc6-4ade-861c-435d1a8c1b41@mycompany.com>
From Address: <>
Status: Retry
Size (KB): 14
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 2/24/2015 3:07:33 PM
Expiration Time: 2/26/2015 3:07:33 PM
Last Error: 451 Cannot connect to domain:retioe.eu - psmtp
Queue ID: JSEXCH01\253518
Recipients:  SpringBreakTravel@retioe.eu
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 62

Expert Comment

by:gheist
ID: 40629195
It is a Delivery Status Notification aka DSN
Generated by your bad malice spammer called Exchange Server.
0
 

Author Comment

by:Cardlytics
ID: 40629358
Thanks for the quick answer.
@gheist... I understand that is what the error indicates. But it doesn't tell me who the spammer is. This is the core of what we are trying to do.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629378
YOUR SYSTEM GENERATES THE MESSAGE
YOU ARE THE SPAMMER
0
 

Author Comment

by:Cardlytics
ID: 40629392
@gheist
I understand that we are the spammer. I am trying to find the PC or server in our environment that is sending the bad messages. I'm sorry I wasn't more clear on that. I just need to locate the server on our network that is forwarding mail through our server. I need guidance from you on how to find the source inside of my network.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631144
Track message.
First line shows message ID from a message that generated NDR
Track that.

You should not accept mails to nonexistent mailboxes anyway.
0
 

Author Comment

by:Cardlytics
ID: 40631259
@gheist

To track a message I believe you have to have the sender's mailbox. the NDR shows the message ID and the recipient but since the sender is blank I'm not sure how to use the tracking tool. Can you clarify the steps I need to take on that?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631287
First log message tells for which message NDR was generated.
0
 

Author Comment

by:Cardlytics
ID: 40631313
I'm googling how to do message track with only the ID. The GUI requires you to have a senders mailbox. Looking into powershell commands for the message tracking.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631332
It does not require any field.
Especially users on gmail do not have exchange mailboxes...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40631337
[gheist] you should probably just stop - it's obvious you're just going off half-cocked.  Have you read anything the OP has posted?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631349
0
 

Author Comment

by:Cardlytics
ID: 40631447
I'm able to use Powershell to track a message by messageID.
It still reports a blank sender info so I can't figure out who is sending the spam.

See results below :

[PS] C:\Windows\system32>Get-MessageTrackingLog -messageid "<772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>" | FL
*


PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:17:47 PM
mycompanyientIp                :
mycompanyientHostname          :
ServerIp                :
ServerHostname          : JSEXCH01
SourceContext           : Failure
ConnectorId             :
Source                  : DSN
EventId                 : DSN
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {}
TotalBytes              : 37139
RecipientCount          : 1
RelatedRecipientAddress :
Reference               : {<750828c42b29bc76fc919623f2b4d68b@m.securefloor.gen.in>}
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             :
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:24:22 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:25:22 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:29:01 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:30:01 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :



[PS] C:\Windows\system32>
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40631561
Is it possible "jsexch01.mycompany.local" itself has been compromised?
0
 

Author Comment

by:Cardlytics
ID: 40631634
I guess it is conceivable. We suspect it is a laptop because we see spikes early in the morning that go away at lunch time and sometimes come back later in the day. It is hard to say because it is peaky. It comes and goes in spurts, but that is how BOTS work. We ran virus scans that found nothing. Past that I am not sure what to check.
I don't see any extra services or processes running that jump out at me as being fishy. ????
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631653
Reference" in first message contains original MessageID to trace.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
ID: 40642685
Closing ticket without a solution. We ended up locking down the exchange servers to only authorized accounts. It was the best thing to do for security reasons anyway. We just didn't want to have to do it in a rush.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40644012
It should have been like that since beginning btw...
0
 

Author Closing Comment

by:Cardlytics
ID: 40652306
No solution found to the actual issue.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40652400
If you run any of microsoft's exchange configuration analyzers it will tell you yours was misconfigured..
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out what you should include to make the best professional email signature for your organization.
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question