Exchange Server Forums

Spam problems

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Exchange Server Misc] >> Tips & Tricks >> Spam problems

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

Spam problems - 29.Jun.2006 4:13:51 PM

The_Librarian

Posts: 3
Joined: 29.May2006
Status: offline

Hi there

Supposedly you're administrator for a stock-standard Win2k3 server running Exchange 2003, with 25 clients. Recently you've discovered that one of your workstations are sending out spam via the mail server (or gateway) and you need to find out which machine is doing so. Your public IP havent been blacklisted yet (lucky you) or you've discovered that your IP've been blacklisted and you've been grilled by the boss... (unlucky you).

Can anybody give any hints on how to pick up which machine(s) is sending out spammy mails?

Keep in mind that the latest and newest spam trojans and viruses tend to hide themselves from detection tools, so all you have is the Exchange server as a tool to tell you which machine is doing the spam routine.

Regards

Libs

Post #: 1

Featured Links*

RE: Spam problems - 8.Feb.2008 11:43:23 AM

s10blazed

Posts: 5
Joined: 30.Mar.2006
From: Pittsburgh, PA
Status: offline

I am also in this situation and am looking for some tips.

All of my suspicious mail going out is addressed from postmaster or admin. The server PC does not appear to be infected from multiple scans and the fact that it is never used as a workstation to open/check email or internet browsing.

Where can check logs of who is sending these messages?

(in reply to The_Librarian)

Post #: 2

RE: Spam problems - 8.Mar.2008 1:34:13 PM

a.grogan

Posts: 1887
Joined: 12.Apr.2005
From: London
Status: offline

Hiya I did a series on this - however I covered such a question here http://telnetport25.wordpress.com/2007/12/09/exchange-2003-spam-attack-internal-external-part-2-open-relay%e2%80%a6/

I hope that this helps.

Cheers

A

_____________________________

Andy Grogan
MSExchange.org Forums Moderator
For my general ramblings about Exchange please visit my blog:
W: http://telnetport25.wordpress.com/
M: manifoldmaster@gmail.com

(in reply to s10blazed)

Post #: 3

RE: Spam problems - 30.Mar.2008 5:18:48 PM

ik8sqi

Posts: 6
Joined: 13.Jan.2008
Status: offline

It may be too late, but I'll reply anyways...
Please note that many many viruses/trojans will *not* use your Exchange server when clients get infected. The malware will instead send the emails directly to the internet from the infected client. The only way to detect this traffic then is by monitoring the firewall and/or the main switches all the client's traffic goes thru on the way out to the internet. You will need to monitor outgoing TCP traffic on port 25. You should not see any traffic at all except originating from your Exchange server's IP address. If some of your clients are using their workstations to send out their personal emails, you may see a handful of outgoing connections to various ISP providers.
You will *easily* figure out what is legitimate traffic and what is caused by viruses, as in the latter case you will often see numbers in the 10,000+ emails/hours being sent.

_____________________________

Roberto Franceschetti
www.logsat.com

(in reply to s10blazed)

Post #: 4