• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Stopping spambots

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Stopping spambots Page: [1]
Login
Message << Older Topic   Newer Topic >>
Stopping spambots - 28.Mar.2012 12:46:00 PM   
isdpcman

 

Posts: 158
Joined: 3.Apr.2006
Status: offline
One of the PC's on the lan apparently has a SPAMBOT that's sending out thousands of SPAM emails and we need to stop this as our IP has been blocked by blacklist companies and pretty much shut down the ability to send email.

How can I determine where this junk email is coming from? Is there a way to prevent this crap in the future? The user accounts are locked down already.

Any help is appreciated.
Post #: 1
RE: Stopping spambots - 28.Mar.2012 12:54:41 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
How were you able to determine the Spam is coming from a PC?
Do you allow TCP 25 traffic to Exchange from your PCs?
Do you have any way to "sniff" traffic for either SMTP or MAPI communications between your PCs and Exchange?

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to isdpcman)
Post #: 2
RE: Stopping spambots - 28.Mar.2012 12:56:49 PM   
isdpcman

 

Posts: 158
Joined: 3.Apr.2006
Status: offline
It's not on the server as no one has access to it so I'm assuming it's on a PC.

We don't have firewalls running on the PC side. All mail goes through Outlook to the Exchange server.

(in reply to uemurad)
Post #: 3
RE: Stopping spambots - 28.Mar.2012 2:20:14 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Have you observed the unwanted outbound traffic? If so, was it in the form of analyzing your SMTP logs, a report from your ISP, from your networking/firewall team?

I ask because the origination of the messages can dictate the strategy of stopping them.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to isdpcman)
Post #: 4
RE: Stopping spambots - 29.Mar.2012 12:59:32 PM   
isdpcman

 

Posts: 158
Joined: 3.Apr.2006
Status: offline
We noticed tons of NDR's in the logs and a huge amount of activity on the server. We then got a notification from a spam blacklist site with an attachment, the email going out (it was one of those SPAM letters from S. Africa about inheriting money, etc.)

I'm not an exchange guru so I don't know where to look for more info.

(in reply to uemurad)
Post #: 5
RE: Stopping spambots - 29.Mar.2012 1:57:53 PM   
uemurad

 

Posts: 8232
Joined: 7.Jan.2004
From: California, USA
Status: offline
Was the attachment sent to you by the blacklist company intact? In other words, can you get the Header information from it? It may have clues as to where the spam originated.

Also, if you have SMTP logging enabled, and the attack was carried out via SMTP, you should be able to find that in the logs.

If the attack came from an infected workstation in your environment, there are two main methods of spamming. If the attack uses an SMTP engine, once again you'll see evidence in the SMTP logs (provided they were enabled during the attack). If the attack uses a MAPI connection (how Outlook connects to Exchange), it can be difficult to track from the server-side, but hopefully you had AntiVirus software on the workstations that should have noticed something.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange (2007-2011)
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to isdpcman)
Post #: 6
RE: Stopping spambots - 25.Jul.2012 4:00:50 AM   
Hansy123

 

Posts: 10
Joined: 23.Jul.2012
Status: offline
Have you scanned your pc? what is the result shown by it? if you had an antivirus it might have pop up error or virus happening in your pc!
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2003] >> Server Security >> Stopping spambots Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter