• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Spam Going from my Server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Spam Going from my Server Page: [1]
Login
Message << Older Topic   Newer Topic >>
Spam Going from my Server - 12.Apr.2012 6:36:05 AM   
PatrickT

 

Posts: 3
Joined: 11.Apr.2012
Status: offline
Dear All,

I noticed a lot of NDR and my Exchange SMTP queue full of emails from senders that are not in my domain. I have checked and confirm that my system is not an open relay.
I have scanned every computer on my network for virus, malware, spambot but have not found anything.
Am at total lost my IP has been blocked/blacklisted and unable to send mail

Please assist me in sorting this problem out

Cheers
Patrick
Post #: 1
RE: Spam Going from my Server - 12.Apr.2012 11:35:02 AM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Patrick,

First - welcome to the MS-Exchange forums! I know we had a little side-conversation via Email, but as I mentioned I encourage people to post here. If anything, it may help someone with a similar issue in the future. Some of this will be repeating what I wrote to you, but is here to make it easier for others to follow.

The most common causes of spam going out from your network are:
1. Your system has an open relay
2. You have one or more infected computers inside your network

A relay is a system that forwards mail regardless of its destination
An open relay is a relay that doesn't restrict the mail forwarded

You should check your SMTP log to see if you can determine where the messages are coming from.

To check for an Open Relay, open the ESM and expand to your server, Protocols, and SMTP. Open the properties of the Default SMTP Virtual Server, go to the Access tab then click on Relay. (you can also get to this setting by opening the IIS console)

The radio button "Only the list below" should be selected. If you have specific server that you want to allow relaying for, they should be in the list. If you don't have any servers needing to relay, the list should be empty. In your Email to me, you mentioned your settings were different that what I'm suggesting. Did you change them since? Do you understand why this is the recommended configuration?

I see you also posted in a different thread, asking how to configure Message Tracking and SMTP logging.

Message Tracking - Open the ESM and expand to your server. Right click and open the Properties. On the General tab, you'll see the configuration settings.

SMTP Logging - In the ESM, expand to your server, expand Protocols and SMTP. Open the Properties of the Default SMTP Virtual Server. On the General tab, you'll see the configuration settings.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to PatrickT)
Post #: 2
RE: Spam Going from my Server - 13.Apr.2012 5:13:17 PM   
isdpcman

 

Posts: 158
Joined: 3.Apr.2006
Status: offline
I have a similar issue. GMail has blocked our server from sending email to the GMail server. We're not sure. I can see mail going from our account under INFO@ (a public folder only)

Two questions here:
1) How can I look at the logs and tell what PC is sending this SPAM email (is infected??)
2) How can I stop outbound email from a mail enabled folder?

(in reply to uemurad)
Post #: 3
RE: Spam Going from my Server - 13.Apr.2012 10:41:25 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
The logs only deal with SMTP traffic. If the workstation is using a client (like Outlook or MAPI), those won't show up in the SMTP logs. Do you see the spam messages in your log trying to go to Gmail?

What do you mean outbound from a folder? Is that an automated process, or are you talking about preventing "Send As" from the public folder?

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to isdpcman)
Post #: 4
RE: Spam Going from my Server - 14.Apr.2012 5:11:43 AM   
PatrickT

 

Posts: 3
Joined: 11.Apr.2012
Status: offline
Thanks Uemurad

I now see the log files and can see that that the client-ip is not one of my IP and is using my mail server. How can I block this IP???

How can I stop other IPs from using my mail server to send email???

Thanks for your support

Cheers
Patrick

(in reply to PatrickT)
Post #: 5
RE: Spam Going from my Server - 14.Apr.2012 12:59:28 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Patrick,

Remember my question about your relay configuration? Normally you explicitly name the IP addresses you allow to relay. The configuration you described does the opposite. Selecting "Except the list below" says that everything not in the list is allowed to send mail through your system.

What you want to do is select "Only the list below". That way only the systems in the list are allowed, all others are denied. If you have an empty list, that means no systems are allowed to use your server as a relay.

Please note that the setting has nothing to do with your Exchange servers sending out mail. It's for non-Exchange servers. Exchange servers use other things in the configuration (SMTP Connectors) to get mail out.

-Dean

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to PatrickT)
Post #: 6
RE: Spam Going from my Server - 13.Sep.2012 12:48:32 AM   
miscommon

 

Posts: 1
Joined: 13.Sep.2012
Status: offline
I have similar issue.

My server is not an open relay. Below is header of spam message. I'm just wondering how this external IP address (199.127.56.70) can use my server to send out spam. That IP definitely is not in my Relay allow list. Why my server accept to send mail from above IP?


Microsoft Mail Internet Headers Version 2.0
From: postmaster@mydomain.com
To: bnote@americanexpress.com
Date: Thu, 13 Sep 2012 00:20:36 +0800
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01CD89C1578B72A400002ACCmyserver.mydomain.co"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
Message-ID: <TGJ2TUSzb000002be@myserver.mydomain.com>
Subject: Delivery Status Notification (Failure)

--9B095B5ADSN=_01CD89C1578B72A400002ACCmyserver.mydomain.co
Content-Type: text/plain; charset=unicode-1-1-utf-7

--9B095B5ADSN=_01CD89C1578B72A400002ACCmyserver.mydomain.co
Content-Type: message/delivery-status

--9B095B5ADSN=_01CD89C1578B72A400002ACCmyserver.mydomain.co
Content-Type: message/rfc822

Received: from User ([199.127.56.70] RDNS failed) by myserver.mydomain.com with Microsoft SMTPSVC(6.0.3790.3959);
Thu, 13 Sep 2012 00:19:35 +0800
From: "American Express"<bnote@americanexpress.com>
Subject: American Express - Security Warning !
Date: Wed, 12 Sep 2012 09:19:32 -0700
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_002E_01C2A9A6.07CAC098"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: bnote@americanexpress.com
Message-ID: <MYSERVERT0apMHi0SYNIP00000733@myserver.mydomain.com>
X-OriginalArrivalTime: 12 Sep 2012 16:19:36.0406 (UTC) FILETIME=[66C98F60:01CD9102]

------=_NextPart_000_002E_01C2A9A6.07CAC098
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit

------=_NextPart_000_002E_01C2A9A6.07CAC098
Content-Type: application/octet-stream;
name="Protection.Form.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Protection.Form.html"


------=_NextPart_000_002E_01C2A9A6.07CAC098--

--9B095B5ADSN=_01CD89C1578B72A400002ACCmyserver.mydomain.co--

(in reply to uemurad)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Spam Going from my Server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter