Solved

Finding Rogue SPAM sender on Exchange 2010

Posted on 2015-02-24
22
166 Views
Last Modified: 2015-03-08
There is a system sending spam through our Exchange 2010 server. We know the recipient addresses and the subjects of the bad emails but the sender is being masked and the IP shows as 255.255.255.255 in the queue. I've enable verbose logging on the connectors but I can't figure out how to identify how the SPAM messages are entering our mail server.

How should I attack this?
0
Comment
Question by:Cardlytics
  • 10
  • 9
  • 3
22 Comments
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40629030
255.255.255.255 is a broadcast address.

If you run an ARP -a command from a command prompt, you may get a MAC address you can use to track down the system.
0
 

Author Comment

by:Cardlytics
ID: 40629040
We've got over 230 clients. So the results of the arp -a wouldn't tell us much I don't think. It'll be huge, but I'll try that and take a peek.
0
 

Author Comment

by:Cardlytics
ID: 40629081
Here is an example of a DSN we are getting :

Identity: JSEXCH01\253518\7371664
Subject: Undeliverable: Cancun-- On Sale
Internet Message ID: <86bf8185-5fc6-4ade-861c-435d1a8c1b41@mycompany.com>
From Address: <>
Status: Retry
Size (KB): 14
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 2/24/2015 3:07:33 PM
Expiration Time: 2/26/2015 3:07:33 PM
Last Error: 451 Cannot connect to domain:retioe.eu - psmtp
Queue ID: JSEXCH01\253518
Recipients:  SpringBreakTravel@retioe.eu
0
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

 
LVL 62

Expert Comment

by:gheist
ID: 40629195
It is a Delivery Status Notification aka DSN
Generated by your bad malice spammer called Exchange Server.
0
 

Author Comment

by:Cardlytics
ID: 40629358
Thanks for the quick answer.
@gheist... I understand that is what the error indicates. But it doesn't tell me who the spammer is. This is the core of what we are trying to do.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40629378
YOUR SYSTEM GENERATES THE MESSAGE
YOU ARE THE SPAMMER
0
 

Author Comment

by:Cardlytics
ID: 40629392
@gheist
I understand that we are the spammer. I am trying to find the PC or server in our environment that is sending the bad messages. I'm sorry I wasn't more clear on that. I just need to locate the server on our network that is forwarding mail through our server. I need guidance from you on how to find the source inside of my network.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631144
Track message.
First line shows message ID from a message that generated NDR
Track that.

You should not accept mails to nonexistent mailboxes anyway.
0
 

Author Comment

by:Cardlytics
ID: 40631259
@gheist

To track a message I believe you have to have the sender's mailbox. the NDR shows the message ID and the recipient but since the sender is blank I'm not sure how to use the tracking tool. Can you clarify the steps I need to take on that?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631287
First log message tells for which message NDR was generated.
0
 

Author Comment

by:Cardlytics
ID: 40631313
I'm googling how to do message track with only the ID. The GUI requires you to have a senders mailbox. Looking into powershell commands for the message tracking.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631332
It does not require any field.
Especially users on gmail do not have exchange mailboxes...
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40631337
[gheist] you should probably just stop - it's obvious you're just going off half-cocked.  Have you read anything the OP has posted?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631349
0
 

Author Comment

by:Cardlytics
ID: 40631447
I'm able to use Powershell to track a message by messageID.
It still reports a blank sender info so I can't figure out who is sending the spam.

See results below :

[PS] C:\Windows\system32>Get-MessageTrackingLog -messageid "<772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>" | FL
*


PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:17:47 PM
mycompanyientIp                :
mycompanyientHostname          :
ServerIp                :
ServerHostname          : JSEXCH01
SourceContext           : Failure
ConnectorId             :
Source                  : DSN
EventId                 : DSN
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {}
TotalBytes              : 37139
RecipientCount          : 1
RelatedRecipientAddress :
Reference               : {<750828c42b29bc76fc919623f2b4d68b@m.securefloor.gen.in>}
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             :
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:24:22 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:25:22 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :

PSComputerName          : jsexch01.mycompany.local
RunspaceId              : a0067080-fdcd-4f07-be64-e2cdbcd4e9dc
Timestamp               : 2/25/2015 2:29:01 PM
mycompanyientIp                : 10.119.126.21
mycompanyientHostname          : JSEXCH01
ServerIp                : 74.125.148.12
ServerHostname          : outbounds9.obsmtp.com
SourceContext           :
ConnectorId             : smtpOutbound
Source                  : SMTP
EventId                 : DEFER
InternalMessageId       : 7388835
MessageId               : <772c7872-b635-424c-8c54-4b68ef2fccd8@mycompany.com>
Recipients              : {joevitale@securefloor.gen.in}
RecipientStatus         : {451 Cannot connect to domain:securefloor.gen.in - psmtp}
TotalBytes              : 37477
RecipientCount          : 1
RelatedRecipientAddress :
Reference               :
MessageSubject          : Undeliverable: The Law Of Attraction Is Broken Without This..
Sender                  : postmaster@mycompany.com
ReturnPath              : <>
MessageInfo             : 2/25/2015 2:30:01 PM
MessageLatency          :
MessageLatencyType      : None
EventData               :



[PS] C:\Windows\system32>
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 40631561
Is it possible "jsexch01.mycompany.local" itself has been compromised?
0
 

Author Comment

by:Cardlytics
ID: 40631634
I guess it is conceivable. We suspect it is a laptop because we see spikes early in the morning that go away at lunch time and sometimes come back later in the day. It is hard to say because it is peaky. It comes and goes in spurts, but that is how BOTS work. We ran virus scans that found nothing. Past that I am not sure what to check.
I don't see any extra services or processes running that jump out at me as being fishy. ????
0
 
LVL 62

Expert Comment

by:gheist
ID: 40631653
Reference" in first message contains original MessageID to trace.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
ID: 40642685
Closing ticket without a solution. We ended up locking down the exchange servers to only authorized accounts. It was the best thing to do for security reasons anyway. We just didn't want to have to do it in a rush.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40644012
It should have been like that since beginning btw...
0
 

Author Closing Comment

by:Cardlytics
ID: 40652306
No solution found to the actual issue.
0
 
LVL 62

Expert Comment

by:gheist
ID: 40652400
If you run any of microsoft's exchange configuration analyzers it will tell you yours was misconfigured..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
The new Gmail Phishing Scam going around is surprising even the savviest of users with its sophisticated techniques.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question