Blacklisted due to outgoing spam SBS2011

IP Address 12.198.184.xxx is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2015-06-18 13:00 GMT (+/- 30 minutes), approximately 7 hours, 30 minutes ago.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

I am using Exchange 2010 on SBS2011 and I would like to find out which email address is doing this.  Is there a way for me to do that?
Computer HelperWindows Server AdminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BTechAUCommented:
It's actually more likely that you have a PC on your network that's infected that's causing this. All traffic from your network is probably going out on the same public IP address so you need to scan all your machines (including the server) for malware first.
0
Computer HelperWindows Server AdminAuthor Commented:
I went to Message Tracking on EMC and delivery reports after signing in as Admin.  I looked through everyone's mailbox and do not see anything suspicious.  Is this the correct way to do this or is there another way?  Is it possible that spam could be sent out through someone's email account even though I dont see it in the delivery report?
0
Computer HelperWindows Server AdminAuthor Commented:
What type of malware scan do you recommend for the server?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

BTechAUCommented:
I should add for clarification that it's probably not Exchange where the problem lies but you can also check the queue on your Exchange to see if you can see anything, but this is less likely.
0
BTechAUCommented:
Just use malwarebytes to start with on all machines. It is very possible (probable even) that it's not the server so you need to check all machines.
0
Simon Butler (Sembee)ConsultantCommented:
Looking at the Exchange server is a waste of time.
As already pointed out above, this is most likely a compromised workstation, and the workstation is sending email out directly.

If your server was compromised then you would see a lot of garbage in the queue, as the spammer's lists are not very clean.

The best way to find the source is to use your router (if you have a decent one). Block port 25 outbound for all addresses but Exchange and watch the logs. The compromised system will quickly show up in the logs and you can then look at removing the culprit.

Simon.
0
Computer HelperWindows Server AdminAuthor Commented:
Found this on the server.
0
Computer HelperWindows Server AdminAuthor Commented:
Found this on the server
0
Computer HelperWindows Server AdminAuthor Commented:
Also I keep getting these pop-ups.  Any suggestions on how to stop these?
0
Computer HelperWindows Server AdminAuthor Commented:
By the way I scanned all workstations for viruese and malware and changed all passwords.  I tightened the firewall to only allow outbound emails on the server IP.
0
Simon Butler (Sembee)ConsultantCommented:
The IP address is from the Ukraine. I presume you aren't in the Ukraine?
Go through the IIS logs, but I suspect you have a compromised account.

Were the files found in server locations, or in user shares?

Simon.
0
Computer HelperWindows Server AdminAuthor Commented:
sysadmin account.  I suspect this is from an old migration.  This is account is no where to be found in AD
0
Simon Butler (Sembee)ConsultantCommented:
I don't understand what you are saying.
Was something found under "sysadmin" ?

Look in the section marked "Builtin" for the user account as well.

Simon.
0
Computer HelperWindows Server AdminAuthor Commented:
Location of the malware was inside the sysadmin user folder.
0
Simon Butler (Sembee)ConsultantCommented:
Just delete the folder then.
Have you looked at the file dates to see if it is recent? The fact that the files are there doesn't mean the malware is actually running on the server.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Computer HelperWindows Server AdminAuthor Commented:
Deleting this folder stopped the attack pop-up from Malwarebytes.
Scanning all workstations and changing all passwords stopped the server's IP from becoming blacklisted again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.