SPAM in Exchange 2010 outbound queue


I am running an Exchange server 2010, and have a recent problem with SPAM showing up in the outbound queue.  I can't seem to locate the source of the SPAM.  They are stuck in my outbound queue (smarthost).  I have added ACL's to the firewall to only allow IP addresses from my smarthost to connect to the mail server.  I have disconnected everything on the network except the mail server, router, and cable modem.  I still see mail pop-up in my queue.  I created a transport rule to send me a copy of all messages that have a SPAM rating of -1 or higher, but the rule seems to have no affect, which makes me believe somehow mail is being injected directly into the queue.  I have run scanners (multiple) on all connected devices, including the server.  The only thing detected has been tracking cookies.  I configured the send / receive connectors to only accept mail from, internal subnet range and smarthost IP's respectively, and still receive SPAM.  All user passwords have been changed.  

Verified Relay is off....  when telnetting into server get '421 4.3.2 Service not available'.  Doubt it matters but I have a dyndns, with e-mail gateway from duocircle on alt port 2525.

Any help?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Have you checked the blacklists out there to ensure that your IP is not blacklisted? You can use for one of them.

ZorniacAuthor Commented:
oh yeah, I am currently on at least three blacklists.  I have been for a while, due to the nature of dyndns and not being able to setup a reverse PTR record.  I use a e-mail gateway to setup the mail flow because Comcast blocked port 25, that is the reason for the alt SMTP 2525 port.  Right now, the mail isn't excepted by my e-mail gateway due to the high SPAM rate being pushed out through my Exchange 2010 box.

I know I have something, generating this SPAM on my network.  I ran the typical A/V scanners and malware scanners, rootkit buster, etc that I would use on a standard computer, but I don't find any trace of virus or malware.
Will SzymkowskiSenior Solution ArchitectCommented:
It seems that's you have a few issues with your Exchange environment. If you do not have Exchange properly secured then it is possible that Spam will get through. Also you are not configuring External DNS correctly for Exchange as you need to use a Static IP for your Reverse (PTR) Record for Exchange to work properly.

ZorniacAuthor Commented:
yes you are correct I should have an rptr record but Comcast is stupid about static IP addresses and residential accounts.  Having said that I have been running this way for several years, and these issues are "circumvented" by services like dyndns and email gateway (smarthost) services.  while my configuration isn't ideal for SPF checking by receiving servers (which can also be mitigated by adding smarthost to SPF record) it does work.  

the question posed is regarding tools to find what is causing SPAM generation on the server.  As I said none of my traditional malware tools find anything.   I have a Cisco ASA in front of my network with strict ACLS and limited allowed IPs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZorniacAuthor Commented:
I never figured out how the SPAMMER was able to get mail relayed through.  I suspect some sort of header manipulation that convinced Exchange the message originated from "inside" allowed the message to be categorized and placed in the outbound queue.  

I built a new server, and set rules on Perimeter firewall (ASA 5505), Windows Firewall, and 'Anonymous' Receive connector to only allow specific IP's (IP's of my smarthost).  So far no problems.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.