We help IT Professionals succeed at work.

SPAM in Exchange 2010 outbound queue

DeZo1
DeZo1 asked
on
Hello,

I am running an Exchange server 2010, and have a recent problem with SPAM showing up in the outbound queue.  I can't seem to locate the source of the SPAM.  They are stuck in my outbound queue (smarthost).  I have added ACL's to the firewall to only allow IP addresses from my smarthost to connect to the mail server.  I have disconnected everything on the network except the mail server, router, and cable modem.  I still see mail pop-up in my queue.  I created a transport rule to send me a copy of all messages that have a SPAM rating of -1 or higher, but the rule seems to have no affect, which makes me believe somehow mail is being injected directly into the queue.  I have run scanners (multiple) on all connected devices, including the server.  The only thing detected has been tracking cookies.  I configured the send / receive connectors to only accept mail from, internal subnet range and smarthost IP's respectively, and still receive SPAM.  All user passwords have been changed.  

Verified Relay is off....  when telnetting into server get '421 4.3.2 Service not available'.  Doubt it matters but I have a dyndns, with e-mail gateway from duocircle on alt port 2525.

Any help?
Comment
Watch Question

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Have you checked the blacklists out there to ensure that your IP is not blacklisted? You can use mxtoolbox.com for one of them.

Will.
DeZo1IT Manager

Author

Commented:
oh yeah, I am currently on at least three blacklists.  I have been for a while, due to the nature of dyndns and not being able to setup a reverse PTR record.  I use a e-mail gateway to setup the mail flow because Comcast blocked port 25, that is the reason for the alt SMTP 2525 port.  Right now, the mail isn't excepted by my e-mail gateway due to the high SPAM rate being pushed out through my Exchange 2010 box.

I know I have something, generating this SPAM on my network.  I ran the typical A/V scanners and malware scanners, rootkit buster, etc that I would use on a standard computer, but I don't find any trace of virus or malware.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
It seems that's you have a few issues with your Exchange environment. If you do not have Exchange properly secured then it is possible that Spam will get through. Also you are not configuring External DNS correctly for Exchange as you need to use a Static IP for your Reverse (PTR) Record for Exchange to work properly.

Will.
IT Manager
Commented:
yes you are correct I should have an rptr record but Comcast is stupid about static IP addresses and residential accounts.  Having said that I have been running this way for several years, and these issues are "circumvented" by services like dyndns and email gateway (smarthost) services.  while my configuration isn't ideal for SPF checking by receiving servers (which can also be mitigated by adding smarthost to SPF record) it does work.  

the question posed is regarding tools to find what is causing SPAM generation on the server.  As I said none of my traditional malware tools find anything.   I have a Cisco ASA in front of my network with strict ACLS and limited allowed IPs.
DeZo1IT Manager

Author

Commented:
I never figured out how the SPAMMER was able to get mail relayed through.  I suspect some sort of header manipulation that convinced Exchange the message originated from "inside" allowed the message to be categorized and placed in the outbound queue.  

I built a new server, and set rules on Perimeter firewall (ASA 5505), Windows Firewall, and 'Anonymous' Receive connector to only allow specific IP's (IP's of my smarthost).  So far no problems.