none
Exchange 2003 - tracking spam

    Question

  • I inherited a Windows 2003 server with Exchange built in.  I have installed all the updates and run virus on it and the other servers on the system.  Also from reading the board determined that it is not an open exchange so in concept only valid user are able to send e-mail.

    From looking that the System Manger -> Servers -> <server> -> Queues I can see there are e-mails that should not be there.

    So the basic question is how do I determine where they are coming from and how to stop them.

    As a side note I did get one of the e-mail from a spam company and blocked the IP address where it came from which stopped it for a while but I can't figure out where to get that information from exchange and it seems like the hard way of doing this.


    John J. Hughes II
    www.functioninternational.com
    Wednesday, January 18, 2012 9:16 PM

Answers

  • I would advise that you get AV installed in your clients and manage it.  If account details have been compromised then you can do much but change all accounts, however this really doesnt prevent it from happening again, and there isn't much you can do on the Exch side apart from what has already been mentioned.
    Sukh
    • Marked as answer by jjhii Wednesday, January 25, 2012 6:58 PM
    Wednesday, January 25, 2012 4:38 PM

All replies

    1. Check the message headers and see what they say
    2. Are you sure they're not NDR?
    3. Also, to reduce this, I suggest that you deploy Av/AS on your Exchange server

     


    Sukh
    Wednesday, January 18, 2012 10:50 PM
  • Not sure about anything at this point but would guess they are message.  We have AV/AS but it only deals with incoming spam, not sending.  Can you recommend a product for handling both or at least outgoing.

    I have verified everything based on the below link...

    http://technet.microsoft.com/en-us/magazine/2006.01.stopspam.aspx

    How would I go about seeing the message headers?  I look in the queues and can see the message properties but other than subject/from/too/size/status I don't see anything about headers.

    Also is it possible to see who the user is in the current session?


    John J. Hughes II
    www.functioninternational.com
    Thursday, January 19, 2012 12:59 AM
  • The most common reason for the problem you are seeing is as follows:

    1. Spammers from outside are sending you spam to invalid recipients.
    2. Your Exchange is generating NDRs for these recipients.

    The solution to this is to reject emails to invalid recipients immediately without generating NDRs. This is done by enabling:
    'Filter emails who are not in the Directory'

    ...under Global Settings | Message Delivery <properties> | Recipient Filtering

    You should also enable tar pitting with that. Check full details from here:
    http://www.exchangeinbox.com/article.aspx?i=49


    IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/
    Thursday, January 19, 2012 7:54 AM
  • Ok the 'filter receipients who are not in the directory' and 'tar pitting' were both already enabled.

    I did find a bunch of users from 1 IP address so I blocked it and also blocked another IP address and ran the 'aqadmcli.exe' program to purge my queue.  I currently have no spam going though, again.

    I assume an account has been compermised so I am going though the logs in an attempt to figure out who it is and change their password.  Not sure how much luck I will have with that one.


    John J. Hughes II
    www.functioninternational.com
    Thursday, January 19, 2012 2:11 PM
  • Ok first of all thanks for the help so far...

    Ok between setting and black list for both the IP address the the senders address I have stopped the flow.  I am assuming this is will not last long with a better fix so if someone could help me understand some settings.

    SMTP Virtual Server Properties -> Access (tab) -> Authentication

    There are a few check boxes and a user button.  I have set the users button to windows users but I also have the other three main check boxes set.  I would think that setting the "Anonymous access" option would be bad but if I uncheck it a lot of people can't see e-mail in our company.  It seems they have setup e-mail address that don't have windows user names related to them.  Is there a way to uncheck "Anonymous access" and still allow non-user to send e-mail?


    John J. Hughes II
    www.functioninternational.com
    Thursday, January 19, 2012 10:05 PM
  • Hi John,

     

    Is there a way to uncheck "Anonymous access" and still allow non-user to send e-mail?

     

    No, If you disable anonymous access on your server, unauthorized user cannot access it.

     

    Note: Do not disable anonymous access on your Internet bridgehead SMTP virtual servers. SMTP virtual servers that accept mail from the Internet must allow anonymous access.

     

    You can know detail from this document:

     

    Securing Your Exchange Server

    http://technet.microsoft.com/en-us/library/bb123843(EXCHG.65).aspx

     

    Thanks,

     

    Evan


    Evan Liu

    TechNet Community Support


    Friday, January 20, 2012 3:53 AM
    Moderator
  • Thanks, seems there is no way to stop the spam :(
    John J. Hughes II
    www.functioninternational.com
    Friday, January 20, 2012 4:24 PM
  • Have you got a AS product

    Have you setup SPF records?


    Sukh
    Friday, January 20, 2012 8:24 PM
  • We have an incoming AS product (MailWatch), but it does not hande outgoing from what I can tell. 

    Did not know what SPF is but from a quick search "Sender Policy Framework", sounds like a white list of sort, that would be very helpful I think.

    Any suggestion on configuration?  I will start searching now... 


    John J. Hughes II
    www.functioninternational.com
    Friday, January 20, 2012 8:45 PM
  • If spam in generated from inside then

    1. Make sure your clients have AV

    2. Put AS on your exchange server.

    3. SPF - Specify what servers are allowed to send email for your smtp domain.


    Sukh
    Friday, January 20, 2012 9:35 PM
  • Well the AV on clients is hard to control :(

    Can you recommend a AS for outgoing?

    I have added SPF to the DNS using the MS wizard.  The wizard now shows spf.domain.com as having an SPF, is that how must look it up?  The wizard does not show for domain.com without the spf.

    So far I am blocking the spam but blocking IP address.  I look in the "SMTP / Current User" and all of a sudden there are dozens of user with external IP address.  I terminate all and then block the address.  I use the aqadmcli.exe tool to purge the spam.  I also black list the domain of the email, the list is growing.  Then everything is ok for a while (but I am losing).

    So in my opinon the spam from outsite but I am not sure how to block the spamers and not block my own users.  If it is one of our user I will change their password and block them until they have fixed there computer but I am still trying to determine what user name is connecting to the server, is there a way of determining this. 


    John J. Hughes II
    www.functioninternational.com
    Friday, January 20, 2012 9:50 PM
  • The SPF records need to be created on the public DNS.  Need to be created properly.

    http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

    I still dont undertsand what messages you are seeing, can you paste the headers of one message here


    Sukh
    Friday, January 20, 2012 10:50 PM
  • I used the wizard from you link to create the SPF records.  The wizard is able to put the records.

    Our server host the pulbic DNS.

    I don't have an spam on the system at the moment, will try to send more data when I do...

    But I don't know how get the headers, could you explain.

    Exchange -> Servers -> <name> -> queues -> find messages -> properties. (gives me the properites, no headers)

    Exchange -> Servers -> <name> -> SMTP -> virtual server -> current users. (gives me IP of logged on users)

    *****************

    I did find in directory "C:\Program Files\Exchsrvr\Mailroot\vsi 1\Filter" a bunch of TMP file which seem to contain message.  Below is one:

    Received: from User ([115.241.183.197]) by exchange.deliberant.net with Microsoft SMTPSVC(6.0.3790.4675);
      Fri, 20 Jan 2012 22:01:05 -0500
    Reply-To: <microawrdclaim@9.cn>
    From: "Msn/ Yahoo Lottery Board UK."<microawrdclaims@hotmail.com>
    Subject: Congratulations You Email Have Won 500,000GBP
    Date: Sat, 21 Jan 2012 08:30:52 +0530
    MIME-Version: 1.0
    Content-Type: multipart/related;
     boundary="----=_NextPart_000_0011_01C2A9A6.319518AC"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    Return-Path: microawrdclaims@hotmail.com
    Message-ID: <DLBSBSnLOyDc41W2ufy00000559@exchange.deliberant.net>
    X-OriginalArrivalTime: 21 Jan 2012 03:01:05.0769 (UTC) FILETIME=[EABF4590:01CCD7E8]

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0011_01C2A9A6.319518AC
    Content-Type: text/html;
     charset="Windows-1251"
    Content-Transfer-Encoding: 7bit

    <HTML><HEAD><TITLE></TITLE>
    </HEAD>
    <BODY bgcolor=#FFFFFF leftmargin=5 topmargin=5 rightmargin=5 bottommargin=5>
    <FONT size=2 color=#000000 face="Arial">


    John J. Hughes II
    www.functioninternational.com
    Saturday, January 21, 2012 1:59 PM
  • whose domain is @9.cn?
    Sukh
    Saturday, January 21, 2012 5:03 PM
  • Your guess is as good as mine, it has nothing to do with our company.

    http://www.whois.net/whois/9.cn

    [Querying whois.cnnic.net.cn]
    [whois.cnnic.net.cn]
    Domain Name: 9.cn
    ROID: 20030311s10001s00033412-cn
    Domain Status: clientDeleteProhibited
    Domain Status: clientUpdateProhibited
    Domain Status: clientTransferProhibited
    Registrant ID: ename_f9oofhze93
    Registrant Organization: 厦门易名网络科技有限公司
    Registrant Name: 孔德菁
    Registrant Email: www@ename.cn
    Sponsoring Registrar: 厦门易名网络科技有限公司
    Name Server:ns1.ename.net
    Name Server:ns2.ename.net
    Name Server:ns3.ename.net
    Name Server:ns4.ename.net
    Name Server:ns5.ename.net
    Name Server:ns6.ename.net
    Registration Date: 2003-03-17 12:20:05
    Expiration Date: 2021-03-17 12:48:36
    Dnssec Deployment: N

    (Bing translation: Xiamen ename network technology Corporation / Kong Dejing)


    John J. Hughes II
    www.functioninternational.com
    Saturday, January 21, 2012 9:54 PM
  • This is another header... again none of the data in the mail is for our company.

    Received: from User ([65.49.88.241]) by exchange.deliberant.net with Microsoft SMTPSVC(6.0.3790.4675);
      Sat, 21 Jan 2012 15:27:48 -0500
    Reply-To: <davemehma@blumail.org>
    From: "David Mehma"<mehmamehma@mail.mn>
    To: mehmamehma@mail.mn
    Subject: We need your guidance
    Date: Sat, 21 Jan 2012 12:27:54 -0800
    MIME-Version: 1.0
    Content-Type: text/plain;
     charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Return-Path: mehmamehma@mail.mn
    Message-ID: <DLBSBSAs0AokvJOJmlc00000ee4@exchange.deliberant.net>
    X-OriginalArrivalTime: 21 Jan 2012 20:27:49.0055 (UTC) FILETIME=[246C34F0:01CCD87B]

    Compliments of the season,


    John J. Hughes II
    www.functioninternational.com
    Saturday, January 21, 2012 9:55 PM
  • Go to MX toolbox and put in your MX info and see what the resutls are for an SMTP relay test.

    http://www.mxtoolbox.com/


    Sukh
    Saturday, January 21, 2012 10:32 PM
  • It says relay access denied.

    Session Transcript:

    HELO please-read-policy.mxtoolbox.com
    250 spam.deliberant.com [31 ms]
    MAIL FROM: <supertool@mxtoolbox.com>
    250 2.1.0 Ok [31 ms]
    RCPT TO: <test@example.com>
    554 5.7.1 <test@example.com>: Relay access denied [47 ms]
    QUIT
    221 2.0.0 Bye [31 ms]

    John J. Hughes II
    www.functioninternational.com
    Saturday, January 21, 2012 11:20 PM
  • Use message tracking and see if you can any message info for one of the messages above in there.

    Also, check your SMTP logs and see what they say.


    Sukh
    Saturday, January 21, 2012 11:48 PM
  • Ok after looking at them them what?

    Message tracking - Message history

    left shows

    • <server name>
    • ---- boogeyman.armory.com
    • ---- phurmey.dirac.net
    • ---- mx.fakemx.net

    right shows

    • SMTP: Message submitted to advanced queuing
    • SMTP: stated message submission to advance queue
    • SMTP: Message submitted to caegorizer
    • SMTP: Message categorized and queued for routing
    • SMTP: Message routed and queued for remote delivery
    • SMTP: Started outbound transfer of message
    • .... (lot more basically it fails and generates a NDR)

    The log file, a few lines at least.  From what I can tell "User" sent them... any way to get a better decription?

    # Date	Time	client-ip	Client-hostname	Partner-Name	Server-hostname	server-IP	Recipient-Address	Event-ID	MSGID	Priority	Recipient-Report-Status	total-bytes	Number-Recipients	Origination-Time	Encryption	service-Version	Linked-MSGID	Message-Subject	Sender-Address
    2012-1-9	0:0:4 GMT	75.147.74.82	User	-	DLBSBS	10.0.5.11	tatyana.heredia@turner.com	1020	DLBSBSN33HFnwpGR88100003ccd@exchange.deliberant.net	3	0	91347	50	2012-1-8 14:24:10 GMT	0	Version: 6.0.3790.4675	-	 MisteryShopper	mistery.shopper@mistery.com	-
    2012-1-9	0:0:4 GMT	75.147.74.82	User	-	DLBSBS	10.0.5.11	tatyanak@ukr.net	1020	DLBSBSN33HFnwpGR88100003ccd@exchange.deliberant.net	3	0	91347	50	2012-1-8 14:24:10 GMT	0	Version: 6.0.3790.4675	-	 MisteryShopper	mistery.shopper@mistery.com	-
    2012-1-9	0:0:4 GMT	75.147.74.82	User	-	DLBSBS	10.0.5.11	tatsugrl@telus.net	1020	DLBSBSN33HFnwpGR88100003ccd@exchange.deliberant.net	3	0	91347	50	2012-1-8 14:24:10 GMT	0	Version: 6.0.3790.4675	-	 MisteryShopper	mistery.shopper@mistery.com	-
    


    John J. Hughes II
    www.functioninternational.com
    Sunday, January 22, 2012 2:44 AM
  • It seems like that it may be getting sent internally from a client. Does it say "user" in the log or did you replace this? If this is the case, this PCuser needs to be tracked down. You can try using exmerge and searching the databases for this subject. Or if you know it's happening every x minutes, use ExMon and see who is connected to Exch at the time and to narrow it down.
    Sukh
    Sunday, January 22, 2012 3:37 AM
  • Yes it says "User" in the log, I did not change it.  I don't have a "User" account so I am not sure what the del with that is.  Normally when users log in the name is correct but the spam is not.

    I have exmon running an will just leave it running for a while but it looks like it only shows currently logged on users, not a history?

    Still looking for a way to read the "ETL" file in the exmon directory. (I found tracerpt)

    I don't see how exmerge is going to help?

    And so far I have not figured out how to determine which user is sending the spam but I agree it is most likely a user on our system.


    John J. Hughes II
    www.functioninternational.com
    • Edited by jjhii Sunday, January 22, 2012 3:11 PM found trace rpt
    Sunday, January 22, 2012 2:59 PM
  • exmon will only show active users.

    I was thinking along the idea to use exmon to see the active user, then keep an eye on the spam or check queues, then look at th eactive users in Exmon and use exmerge to try and search their mailboxes for that subject if it's sent from that mailbox.

    Or the case may be, the password has been comprimised and the infected PC is using those authenticated credentials. If you can monitor exmon and see the spam at the same time, see who is connected at that time and scan those PC's and ask those users to change there password.


    Sukh
    Sunday, January 22, 2012 6:18 PM
  • Again thanks for the help,

    Ok I will continue to monitor, there has been no mass attached latetly but I am sure it will start again shortly.


    John J. Hughes II
    www.functioninternational.com
    Monday, January 23, 2012 2:59 PM
  • Ok, as far as I can tell the last time I was hit nobody was logged into the server, exmon does not report anyone at least.

    I noticed that exmon does not report pop/smtp and a couple others so it is not help.

    Now what?


    John J. Hughes II
    www.functioninternational.com
    Tuesday, January 24, 2012 2:07 AM
  • I would advise that you get AV installed in your clients and manage it.  If account details have been compromised then you can do much but change all accounts, however this really doesnt prevent it from happening again, and there isn't much you can do on the Exch side apart from what has already been mentioned.
    Sukh
    • Marked as answer by jjhii Wednesday, January 25, 2012 6:58 PM
    Wednesday, January 25, 2012 4:38 PM
  • Thanks again for the help... I am talking to management about either a spam solution GFI or Vircom... Maybe going to a hosted exchange...  See what they say.
    John J. Hughes II
    www.functioninternational.com
    Wednesday, January 25, 2012 6:43 PM
  • Looks like management is going to go with Google Business Solutions, seems Exhange it just too much trouble unless you have a complete IT staff to fight with it.
    John J. Hughes II
    www.functioninternational.com
    Friday, January 27, 2012 1:00 AM
  • You can maybe compare with O365 or Exchange FOPE
    Sukh
    Friday, January 27, 2012 1:05 AM
  • Did you ever get to the bottom of this? Were account credentials compromised? Looking at the accepted answer it seems to be either AV installed (but that just helps - doesn't actually solve) or compromised credentials.

    Running into the same issue and it's driving me nuts. Every relay test I've tried fails. Yet the queue is filled with 50.000+ messages with headers like these:

    Received: from User ([78.100.87.123]) by somesite.com with Microsoft SMTPSVC(6.0.3790.4675);
    Sat, 1 Mar 2014 10:00:42 +0100
    Reply-To: <u_nation12@aol.com>
    From: "UN"<test@test.com>
    Subject: ATTENTION BENEFICIARY
    Date: Sat, 1 Mar 2014 12:00:20 +0300
    MIME-Version: 1.0
    Content-Type: text/plain;
    charset="Windows-1251"
    Content-Transfer-Encoding: 7bit
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    Return-Path: test@test.com
    Message-ID: <SOMESERVERRmhKuTqtA00004daa@somesite.com>
    X-OriginalArrivalTime: 01 Mar 2014 09:00:42.0420 (UTC) FILETIME=[B9826F40:01CF352C]

    TIA

    Monday, March 03, 2014 9:55 AM
  • FreakyNL,

    For a while I just blocked the IP address and deleted the spam manually.  This became very time consuming and after changing the passwords for as far as I can tell everyone I gave up.  We have since moved to a hosted provider.  It seems exchange is only a valid choice for full time IT professionals and I am not one.


    John J. Hughes II

    Monday, March 03, 2014 12:47 PM
  • Thanks for the re'.

    Never cared much for the way exchange logs. Personally I find the logging of *nix alternatives much better, but there's more than just logging I suppose.

    We found the issue. Some user deemed it wise to change the password of the 'sales' account to 'sales'. Not sure what rock they lived under for the past decade, but apparently he's quite deaf to all the news about this in the last decade by banks, governments, etc. It's been in the news plenty of times...

    I guess he got his wish. Now he'll have to admit to a password policy with some rather strong settings.

    Tuesday, March 04, 2014 10:30 AM