Spam problems (Full Version)

All Forums >> [Exchange Server Misc] >> Tips & Tricks



Message

The_Librarian -> Spam problems (29.Jun.2006 4:13:51 PM)

Hi there

Supposedly you're administrator for a stock-standard Win2k3 server running Exchange 2003, with 25 clients. Recently you've discovered that one of your workstations are sending out spam via the mail server (or gateway) and you need to find out which machine is doing so. Your public IP havent been blacklisted yet (lucky you) or you've discovered that your IP've been blacklisted and you've been grilled by the boss... (unlucky you).

Can anybody give any hints on how to pick up which machine(s) is sending out spammy mails?

Keep in mind that the latest and newest spam trojans and viruses tend to hide themselves from detection tools, so all you have is the Exchange server as a tool to tell you which machine is doing the spam routine.

Regards

Libs



s10blazed -> RE: Spam problems (8.Feb.2008 11:43:23 AM)

I am also in this situation and am looking for some tips.

All of my suspicious mail going out is addressed from postmaster or admin.  The server PC does not appear to be infected from multiple scans and the fact that it is never used as a workstation to open/check email or internet browsing.

Where can check logs of who is sending these messages?



a.grogan -> RE: Spam problems (8.Mar.2008 1:34:13 PM)

Hiya I did a series on this - however I covered such a question here http://telnetport25.wordpress.com/2007/12/09/exchange-2003-spam-attack-internal-external-part-2-open-relay%e2%80%a6/

I hope that this helps.

Cheers

A



ik8sqi -> RE: Spam problems (30.Mar.2008 5:18:48 PM)

It may be too late, but I'll reply anyways...
Please note that many many viruses/trojans will *not* use your Exchange server when clients get infected. The malware will instead send the emails directly to the internet from the infected client. The only way to detect this traffic then is by monitoring the firewall and/or the main switches all the client's traffic goes thru on the way out to the internet. You will need to monitor outgoing TCP traffic on port 25. You should not see any traffic at all except originating from your Exchange server's IP address. If some of your clients are using their workstations to send out their personal emails, you may see a handful of outgoing connections to various ISP providers.
You will *easily* figure out what is legitimate traffic and what is caused by viruses, as in the latter case you will often see numbers in the 10,000+ emails/hours being sent.



Page: [1]