I have an exchange server that is sending multiple spam messages

captjcret
captjcret used Ask the Experts™
on
I have an old Exchange server 2003 that starts sending out garbage emails at a rate of 3 a minute.  After 10 minutes the SMTP connector stops responding and it cannot be restarted without restarting the entire system.  I have ran virus scans using Malwarebytes on all systems and can say that everything on the network is clean.  We own 5 different Public IP addresses but only have need for one.  We have been blacklisted because of this activity so I have changed the MX records to point at a new IP address.  This obviously fixes the blacklisting but we still get the surge of bad messages.  I went and deleted thousands of messages in the queue folder I have made many changes to the SMTP connector for relaying and where things stand right now is all users are at least receiving mail but all outgoing mail sits in the outgoing queues but will go if I force the connection on a specific address.  In the queue I am seeing the bad messages but I am not forcing them.  The one difference with this site is that they are not forwarding to a  smarthost they are using DNS to route address space.
Any ideas??  This server will be replaced next year.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Scott CSenior Engineer

Commented:
Well first of all you cannot be certain that the system is clean.  Both Windows Server 2003 and Exchange 2003 are no longer receiving security updates from Microsoft, so it's entirely possible the system has been compromised.

Just because Malwarebytes says the server is clean doesn't mean it really is.  

I know  budgets are a concern but getting rid of this system next year is a bad idea  You need to get rid of this system now.  Security issues will only become a bigger problem the longer you wait.

I work for an MSP and some of our clients have been dragging their heels on upgrading and now they are paying the price.

Author

Commented:
The problem is the firm is pretty much disbanding because of attrition.  The main guys are retiring and just want to make it to the end of the year.  Then the company changes owners and the money will be there. I need to figure a way to put a band aid on this one.
Scott CSenior Engineer

Commented:
How many users are we talking about here?  Would a move to Office 365 be an option?

You can still keep the same domain name and continue on for the rest of the year.

The only reason I'm suggesting this is because we don't know your system hasn't been compromised and there might not be a Band-Aid for this.

If it's a small  number of users you could get this taken care of in a day.

Example of how easy to set this up here:

https://www.youtube.com/watch?v=oxit12z9sd4

Costs would be minimal.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I have setup other accounts with Office 365 so I am familiar with setting up the domain.  If there is  nothing else I can do about the existing exchange server it might be my only recourse.
Scott CSenior Engineer

Commented:
Ok.  Maybe we can narrow this down a bit.  I've been thinking about it.

It's possible that the server is compromised but maybe it's not.  What we can do to narrow it down would be to turn off ALL of the clients and see if the SPAM is still being sent.

If it is, then you know it's the server.  If the Spam stops, then you know it's originating with a client.

Turn them on one by one until the Spam starts again.

If this pans out you can then turn your attention to that client or clients.

Author

Commented:
I should have added that to my description. I had all workstations power off at the end of the day.  At night I cleared the queues and rebooted the server and I still had junk mail errors in the application event log afterwards. It seems to have cleared up some when I changed a few things with my SMTP connector settings with regards to relaying.  I cant find a pattern.
Senior Engineer
Commented:
Ok.  Then it does look like the issue is with your server.  I'd do the Office 365 migration.  I suspect you'll spend less time and charge your customers less with this route.  

You could spend days trying things that may or may not work. Moving to Office 365 for the next 3 months seems like the quickest, surest way to go.  And if they need the email for longer you just keep running with it.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial