how to stop Spam Attack

Is it your IP address or Domain Name that is appearing in the RBL's?

Have you looked at the logs on your server to determine where this email is coming from?  SMTP Send & SMTP Receive logs

Yes our Domain was in the RBL.

What are the method to check the smtp send or receive?

Which version of Exchange?  IIRC  In 2010 the path was along the lines of C:\Program Files\Microsoft\Exchange\V14\ Transport Rules\Logging\SMTPSend & Receive  

So it was your domain name and not your IP?   Could be someone was spoofing your domain name and the bounced emails found their way back via DNS and the Reply to address?

I am sorry I misread your question. It was my IP address got blocked. We have exchange 2007.

Do you have any way of seeing where the SMTP traffic is being generated on your network? (i.e. Egress filtering on the firewall).

I'm thinking that if the traffic is coming from your IP (which is why it is blacklisted)...  you may have a compromised host on your network.

The easiest way to detect that is to filter egress traffic.    The only device on your network that should be generating SMTP traffic leaving your network is your mail server (with a few exceptions).

Find out what is sending email out... and you can at least isolate the compromised host.

what are the method you can use to capture the smtp traffic and be able to determine the compromised host on our network?

What kind of firewall are you using on your network?   Does it include any monitoring or reporting?  Filter on the outgoing SMTP traffic to see what is happening

There are other ways of doing it... but you should work within the realm of abilities and resources you have available.

For instance...  you could setup a Snort IDS, a Proxy server and a Syslog server.  Route all your configurable web traffic thru the proxy...  anything outside of the allowed traffic that then goes thru your firewall would be detected and reported back via syslog and would be worth looking at.    Gets technical.

If you are not technically minded,  you would be better server bringing in an outside party who specializes in this type of thing.

Sniffer is great at broadcast traffic,  not so much with directed traffic and would require a switch in place that allows for port monitoring.

Jeff - We have a Cisco ASA5505 Firewall. not sure if this can give us the ability to export the log that was from yesterday.

Could not tell you how as I am not a Cisco guy... BUT it is possible to send Cisco ASA logs to a SYSLOG device and then Parse that.

Here is something off a Cisco board that may help point you in the right direction

https://supportforums.cisco.com/discussion/11749911/set-syslog-server-asa

I personally use the Kiwi Syslog server... the advantage of which is you can configure rules to notify you when a certain pattern is matched (i.e.  SMTP traffic not from a specified mail server IP)....

Takes a little tinkering, but you probably should be monitoring what is arriving AND leaving your network.

Simon

1. I am not a Cisco guy. Do you have any guide or instruction to set that up?

2. We do have a dedicated ip for our exchange server.

Simon,  thanks for so eloquently phrasing what I was thinking.   The crux of which is to figure out where the email is coming from.

If the email is coming from the server it will hash out...  If it isn't and is coming from another host, it will show itself on the Syslog server.

Hopefully it is easily revealed once he can see what is crossing the threshold of his network.

just downloaded the wireshark, not sure how to interpret this log and can anyone give me some of your expert advice about this log.

NOTES: 192.168.1.2 is our mail server internal ip address. Any 64.235.154.0 - 64.235.154.254 range is the Barracuda cloud based solution ip.

"No.","Time","Source","Destination","Protocol","Length","Info"
"208","2.251661000","50.2.33.153","192.168.1.2","SMTP","72","C: RSET"
"277","3.257089000","192.168.1.2","50.2.33.153","SMTP","87","S: 250 2.0.0 Resetting"
"280","3.277567000","50.2.33.153","192.168.1.2","SMTP","198","C: MAIL FROM:<BestHealthAlerts@healthy.healthycurealertinfo.us> BODY=7BIT RET=HDRS | RCPT TO:<deleted_user@mydomain.com> NOTIFY=FAILURE"
"288","3.280626000","192.168.1.2","50.2.33.153","SMTP","111","S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"407","3.574958000","192.168.1.2","50.2.33.153","SMTP","111","[TCP Retransmission] S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"409","3.674384000","50.2.33.153","192.168.1.2","SMTP","198","[TCP Retransmission] C: MAIL FROM:<BestHealthAlerts@healthy.healthycurealertinfo.us> BODY=7BIT RET=HDRS | RCPT TO:<deleted_user@mydomain.com> NOTIFY=FAILURE"
"468","4.175004000","192.168.1.2","50.2.33.153","SMTP","111","[TCP Retransmission] S: 250 2.1.0 Sender OK | 250 2.1.5 Recipient OK"
"469","4.194888000","50.2.33.153","192.168.1.2","SMTP","1434","C: DATA fragment, 1368 bytes"
"470","4.194976000","50.2.33.153","192.168.1.2","SMTP","1434","C: DATA fragment, 1368 bytes"
"473","4.195513000","50.2.33.153","192.168.1.2","SMTP","659","C: DATA fragment, 1961 bytes"
"479","4.398909000","192.168.1.2","50.2.33.153","SMTP","164","S: 250 2.6.0 <ld81318638018131863-17440122gcjdeleted_user@mydomain.com016p> Queued mail for delivery"
"485","4.622006000","50.2.33.153","192.168.1.2","SMTP","72","C: DATA fragment, 6 bytes"
"486","4.622238000","192.168.1.2","50.2.33.153","SMTP","114","S: 221 2.0.0 Service closing transmission channel"
"3629","77.017272000","192.168.1.2","64.235.154.109","SMTP","170","S: 220 mail.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 16 Jun 2015 15:57:52 -0700"
"3631","77.036283000","64.235.154.109","192.168.1.2","SMTP","97","C: EHLO mail14.ess.barracuda.com"
"3632","77.036423000","192.168.1.2","64.235.154.109","SMTP","324","S: 250 mail.mydomain.local Hello [64.235.154.109] | 250 SIZE | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 X-ANONYMOUSTLS | 250 AUTH NTLM | 250 X-EXPS GSSAPI NTLM | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING | 250 XEXCH50 | 250 XRDST"
"3634","77.055769000","64.235.154.109","192.168.1.2","SMTP","76","C: STARTTLS"
"3635","77.055857000","192.168.1.2","64.235.154.109","SMTP","95","S: 220 2.0.0 SMTP server ready"
"3730","79.637125000","192.168.1.2","64.235.153.8","SMTP","170","S: 220 mail.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 16 Jun 2015 15:57:55 -0700"
"3732","79.702001000","64.235.153.8","192.168.1.2","SMTP","96","C: EHLO mail0.ess.barracuda.com"
"3733","79.702283000","192.168.1.2","64.235.153.8","SMTP","322","S: 250 mail.mydomain.local Hello [64.235.153.8] | 250 SIZE | 250 PIPELINING | 250 DSN | 250 ENHANCEDSTATUSCODES | 250 STARTTLS | 250 X-ANONYMOUSTLS | 250 AUTH NTLM | 250 X-EXPS GSSAPI NTLM | 250 8BITMIME | 250 BINARYMIME | 250 CHUNKING | 250 XEXCH50 | 250 XRDST"
"3734","79.766432000","64.235.153.8","192.168.1.2","SMTP","76","C: STARTTLS"
"3735","79.766640000","192.168.1.2","64.235.153.8","SMTP","95","S: 220 2.0.0 SMTP server ready"
"4015","82.530810000","144.160.235.143","192.168.1.2","SMTP","152","S: 220 alph143.prodigy.net ESMTP Sendmail 8.14.4 IN nd2 TLS/8.14.4; Tue, 16 Jun 2015 18:58:27 -0400"

I cannot help with Cisco queries. Dropped Cisco years ago. When I did have it, I had support on them - if I wanted anything changed I got Cisco to do it for me.
If you have a dedicated IP address for Exchange and are still getting blacklisted, then I would be checking the NAT is correct - ie so the traffic is coming out on the correct address.

Simon.

Hi GeNeRaL971,

any input on the Wireshark output?

Thanks for all the inputs. very useful and we were able to indentify where the issue was.