Questions about troubleshooting spam coming from inside network on SBS 2011 standard box

I feel embarrassed to have to admit I know little about Exchange and the issue I am having here.

On an SBS 2011 standard box, years ago they set up a smart host send connector to go through a company that checks for spam filtering.

Worked fine for years.  Now the filtering company is saying there's loads of spam going out from our network through them (coming from different people in the company). They said they disabled the mail@relay.domain.com address till we can clean things up.  They said they felt a machine got infected. Wouldn't that machine send out typically under the user that's logged into that machine? not several different people?

Looking at the message queues in exchange management console, I see a smarthostconnectordelivery entry. there's (only) 27 emails there waiting to go out.  I can view the to / from for each. But the sender isn't available to be able to ask if they sent the emails intentionally.

a) is there a way when logged in as the admin to see the text of the emails to know if they are legit emails?
b) if a machine was sending out spam, wouldn't there be more than 27 emails waiting to go after 4 hours since they disabled that email address?
c) I am envisioning seeing the LAN IP that the emails were sent from to the exchange server, then I can see if these are all coming from 1 machine / check that machine for malware.

For mail that already went out, is there a way to see the contents of those emails?  The spam filtering people sent me a list of headers of emails they say are spam... from different people in the company to people outside.  Can't see the subject in what they sent. I would just like to be able to see that these really are spam (the spam filtering company can be overzealous sometimes I think).
BeGentleWithMe-INeedHelpAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AlanConsultantCommented:
Hi,

Wouldn't that machine send out typically under the user that's logged into that machine? not several different people?

It could, but it could also be from completely random addresses.

But the sender isn't available to be able to ask if they sent the emails intentionally.

a) is there a way when logged in as the admin to see the text of the emails to know if they are legit emails?

If they were sent within the last four hours, why can't you check with the senders?  If they are in a meeting, it won't last all that long?  I'm not sure what the problem is here?

If you are the admin, you could look in their sent items (if you have authority to do that), and inspect the content of the emails.


On a separate note, are you requiring clients to authenticate to the Exchange server in order to send out email?  If not, then turning that on might stop the flow of spam in the first instance.

Even if that works, it likely still means you have a machine infected, so I would begin a process of doing full malware scans on all machines / devices, as it is also likely that if one machine is infected, so might others be.


Alan.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timgreen7077Exchange EngineerCommented:
Review the headers in a header analyzer. You can go to mxtoolbox.com and select the Analyze Headers tab, and the copy and paste the entire header in the text box, and then press the analyze header button. This will allow you to the path the email took along with subject and so forth.
0
BeGentleWithMe-INeedHelpAuthor Commented:
Alan - it's the evening and I don't have users phone numbers to ask them.

To see their sent folder I have to give myself rights to their mailbox? then connect in outlook to their account?  Im on the server and that doesn't have exchange in it. I guess OWA is the answer?

can't see text of emails in logs from inside EMC?

ANd for things in the que? I guess those would also be in the sent folders of their accounts?

and again, excuse my ignorance:

are you requiring clients to authenticate to the Exchange server in order to send out email?  

This is an SBS box / domain. They log into the domain and get access to exchange in outlook.  Right?  1 time authentication> when they log into the PC?  

Tim: for sent emails and things stuck in the queue, how would I get the headers?

THANKS!
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

timgreen7077Exchange EngineerCommented:
you mentioned in your original question that the spam filtering people sent you some headers. use those headers to see mail info.
0
arnoldCommented:
The items of interest are the Received: lines
This will tell you the source of the message
Ip from which your exchange accepted the message, depending on your setup, it should include info who authenticated.


Are users able to submit message through your server, updating passwords (users change their passwords)
0
AlanConsultantCommented:
Hi,

Alan - it's the evening and I don't have users phone numbers to ask them.

Fair enough :-)

To see their sent folder I have to give myself rights to their mailbox? then connect in outlook to their account?  Im on the server and that doesn't have exchange in it. I guess OWA is the answer?

can't see text of emails in logs from inside EMC?

Yes - that would be one easy way to do it. Log in as a domain admin, and give your own user rights to their mailbox, and check their sent items.

As above - technical permissions are one thing, but company policies may be another!


ANd for things in the que? I guess those would also be in the sent folders of their accounts?

Yes - same as above would work.


and again, excuse my ignorance:

are you requiring clients to authenticate to the Exchange server in order to send out email?  

This is an SBS box / domain. They log into the domain and get access to exchange in outlook.  Right?  1 time authentication> when they log into the PC?

Okay - So if you are logged on to the SBS2008 box, I think it went (from memory, from some years ago!):

Exchange Management Console
Server Configuration
Hub Transport
Receive Connectors

You may have one receive connector, or more than one.  Start with the default one if more than one.

Right click on the connector, and choose 'Properties'

Post back with what you have under 'Authentication' and / or 'Permission Groups'.

In particular, do you have something like 'Anonymous' turned on?

If so, post back, but don't change it just yet - it might cause other things to stop working if you just turn it off.

Alan.
0
BeGentleWithMe-INeedHelpAuthor Commented:
thanks for the help.

There's 3 connectors on that page.  See the attached pics.  don't see anything like anonymous, which I guess is good : )
sbs.JPG
sbs1.JPG
sbs2.JPG
0
BeGentleWithMe-INeedHelpAuthor Commented:
there's only 28 emails now in the outbound queue (vs 27 a couple hours ago). I emailed the spam company for more details.  From what I can see, the emails they were listing as spam look legit to me.  Again, they have been overzealous over the years.  Maybe just chasing a ghost?
0
arnoldCommented:
Can you post the message headers from a sample of the messages?
Look at the message-Id.

The settings on the Exchange side deal with limiting how many messages or size of messages it will accept.
I.e. Limiting the number of recipients.
I.e. While your system might only have 27, the spam-filtering service might actually see 270,2700 depending to how many recipients each message is designated.
To,Cc visible, Bcc not disclosed in the header of the message.
Commonly, I think your Siam-filtering will be provided with a message per recipient.

Looking at the outgoing connection log to them you will see, messages from and to if enabled.

What functions/services do you have on your systems? Identifying each along with tracking the headers to identify from which system, ip each message was accepted by your exchange server.
0
AlanConsultantCommented:
Hi,

Please can you also post the 'Permission Groups' tabs from each of the connectors.

Thanks,

Alan.
0
BeGentleWithMe-INeedHelpAuthor Commented:
uh.... never mind?!

I asked the spam filtering company for more info about the spam situation.  they sent me basic info (from / to info) from 1 user on 1 day, saying that person was sending lots of mail (not sure if that's their only rule of thumb for spam / not spam : )

I looked at some of those things in their sent folder... all looked legit.  And checked with the user - were you sending lots of mail that day. They said yes.

Based on the fact that we're not seeing lots of mail going out anymore, didn't see any big spike in things in the queue when the smtp connector was disabled and now that the smtp connector is restored and the filtering company says things are OK, I am attributing this to the filtering company being overzealous?!

We've had issues with this filtering / email hosting company before and their zealousness, where at 1 remote office that has dynamic IP, this filtering company wasn't accepting outgoing mail because it was coming from a location that has dynamic IP.  WTF?! So when people are traveling / at home / not paying for a static IP address, you won't accept mail from a validated account?  That was a while ago and I forget how that was resolved.  I don't think that location got a static IP address.  The filtering company realized it was a wrong strategy?

THANKS!
0
arnoldCommented:
Usually, people who travel are supposed to connect back to their home server, authenticate and submit the message.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.