Questions about troubleshooting spam coming from inside network on SBS 2011 standard box
I feel embarrassed to have to admit I know little about Exchange and the issue I am having here.
On an SBS 2011 standard box, years ago they set up a smart host send connector to go through a company that checks for spam filtering.
Worked fine for years. Now the filtering company is saying there's loads of spam going out from our network through them (coming from different people in the company). They said they disabled the mail@relay.domain.com address till we can clean things up. They said they felt a machine got infected. Wouldn't that machine send out typically under the user that's logged into that machine? not several different people?
Looking at the message queues in exchange management console, I see a smarthostconnectordelivery
a) is there a way when logged in as the admin to see the text of the emails to know if they are legit emails?
b) if a machine was sending out spam, wouldn't there be more than 27 emails waiting to go after 4 hours since they disabled that email address?
c) I am envisioning seeing the LAN IP that the emails were sent from to the exchange server, then I can see if these are all coming from 1 machine / check that machine for malware.
For mail that already went out, is there a way to see the contents of those emails? The spam filtering people sent me a list of headers of emails they say are spam... from different people in the company to people outside. Can't see the subject in what they sent. I would just like to be able to see that these really are spam (the spam filtering company can be overzealous sometimes I think).
On an SBS 2011 standard box, years ago they set up a smart host send connector to go through a company that checks for spam filtering.
Worked fine for years. Now the filtering company is saying there's loads of spam going out from our network through them (coming from different people in the company). They said they disabled the mail@relay.domain.com address till we can clean things up. They said they felt a machine got infected. Wouldn't that machine send out typically under the user that's logged into that machine? not several different people?
Looking at the message queues in exchange management console, I see a smarthostconnectordelivery
a) is there a way when logged in as the admin to see the text of the emails to know if they are legit emails?
b) if a machine was sending out spam, wouldn't there be more than 27 emails waiting to go after 4 hours since they disabled that email address?
c) I am envisioning seeing the LAN IP that the emails were sent from to the exchange server, then I can see if these are all coming from 1 machine / check that machine for malware.
For mail that already went out, is there a way to see the contents of those emails? The spam filtering people sent me a list of headers of emails they say are spam... from different people in the company to people outside. Can't see the subject in what they sent. I would just like to be able to see that these really are spam (the spam filtering company can be overzealous sometimes I think).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Review the headers in a header analyzer. You can go to mxtoolbox.com and select the Analyze Headers tab, and the copy and paste the entire header in the text box, and then press the analyze header button. This will allow you to the path the email took along with subject and so forth.
Alan - it's the evening and I don't have users phone numbers to ask them.
To see their sent folder I have to give myself rights to their mailbox? then connect in outlook to their account? Im on the server and that doesn't have exchange in it. I guess OWA is the answer?
can't see text of emails in logs from inside EMC?
ANd for things in the que? I guess those would also be in the sent folders of their accounts?
and again, excuse my ignorance:
are you requiring clients to authenticate to the Exchange server in order to send out email?
This is an SBS box / domain. They log into the domain and get access to exchange in outlook. Right? 1 time authentication> when they log into the PC?
Tim: for sent emails and things stuck in the queue, how would I get the headers?
THANKS!
To see their sent folder I have to give myself rights to their mailbox? then connect in outlook to their account? Im on the server and that doesn't have exchange in it. I guess OWA is the answer?
can't see text of emails in logs from inside EMC?
ANd for things in the que? I guess those would also be in the sent folders of their accounts?
and again, excuse my ignorance:
are you requiring clients to authenticate to the Exchange server in order to send out email?
This is an SBS box / domain. They log into the domain and get access to exchange in outlook. Right? 1 time authentication> when they log into the PC?
Tim: for sent emails and things stuck in the queue, how would I get the headers?
THANKS!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
there's only 28 emails now in the outbound queue (vs 27 a couple hours ago). I emailed the spam company for more details. From what I can see, the emails they were listing as spam look legit to me. Again, they have been overzealous over the years. Maybe just chasing a ghost?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
Please can you also post the 'Permission Groups' tabs from each of the connectors.
Thanks,
Alan.
Please can you also post the 'Permission Groups' tabs from each of the connectors.
Thanks,
Alan.
uh.... never mind?!
I asked the spam filtering company for more info about the spam situation. they sent me basic info (from / to info) from 1 user on 1 day, saying that person was sending lots of mail (not sure if that's their only rule of thumb for spam / not spam : )
I looked at some of those things in their sent folder... all looked legit. And checked with the user - were you sending lots of mail that day. They said yes.
Based on the fact that we're not seeing lots of mail going out anymore, didn't see any big spike in things in the queue when the smtp connector was disabled and now that the smtp connector is restored and the filtering company says things are OK, I am attributing this to the filtering company being overzealous?!
We've had issues with this filtering / email hosting company before and their zealousness, where at 1 remote office that has dynamic IP, this filtering company wasn't accepting outgoing mail because it was coming from a location that has dynamic IP. WTF?! So when people are traveling / at home / not paying for a static IP address, you won't accept mail from a validated account? That was a while ago and I forget how that was resolved. I don't think that location got a static IP address. The filtering company realized it was a wrong strategy?
THANKS!
I asked the spam filtering company for more info about the spam situation. they sent me basic info (from / to info) from 1 user on 1 day, saying that person was sending lots of mail (not sure if that's their only rule of thumb for spam / not spam : )
I looked at some of those things in their sent folder... all looked legit. And checked with the user - were you sending lots of mail that day. They said yes.
Based on the fact that we're not seeing lots of mail going out anymore, didn't see any big spike in things in the queue when the smtp connector was disabled and now that the smtp connector is restored and the filtering company says things are OK, I am attributing this to the filtering company being overzealous?!
We've had issues with this filtering / email hosting company before and their zealousness, where at 1 remote office that has dynamic IP, this filtering company wasn't accepting outgoing mail because it was coming from a location that has dynamic IP. WTF?! So when people are traveling / at home / not paying for a static IP address, you won't accept mail from a validated account? That was a while ago and I forget how that was resolved. I don't think that location got a static IP address. The filtering company realized it was a wrong strategy?
THANKS!
Usually, people who travel are supposed to connect back to their home server, authenticate and submit the message.