none
Spam in our Exchange Server

    Question

  • Dear All,

    Currently, there are some Spam e-mail send out by our Exchange Server. I found that there are many SPAM message in the Queue.
    Any idea to block the SPAM e-mail to use our Exchange Server? Thank you very much.

    Monday, November 29, 2010 6:58 AM

Answers

  • Hi,

    I would like to know why the log is showing the Exchange 2003 Computer Name instead of SMTP User Name?

    The mails are submitted from exchange 2003 to exchange 2010 server. When exchange 2003 submits the emails to exchange 2010 server, it will use the Computer Name instead of SMTP User Name for authentication (This is an authentication method between two mail servers ).

    The spammer may submit the mails to your exchange 2003 server( 192.168.0.245) and your exchange server 2003 was configured to reroute the mail through exchange 2010 server.
     
    Please check if this exchange  2003 server is opened for relaying:

    1. Open properties of the SMTP virtual server.
    2. In Access tab, click Relay button.

    You can use a relay test too to verify if this exchange 2003 server is opened for relaying:

    Please download it from my skydrive:

    http://cid-2d68430fc8d84837.office.live.com/self.aspx/Tools/Relay.exe

    In the exchange server section, type in the NetBIOS name (Computer name) of the exchange 2003 server.

    In the Recipient section, please type in your external mail address such as hotmail. If you can receive the mail, your exchange server should be opened for relaying.


    Also check the SMTP log at c:\windows\system32\logFiles on this exchange 2003 server.

     

    Wednesday, December 01, 2010 6:02 AM
    Moderator

All replies

  • Hi,

    Are you sure that the mails are not just NDR's in response to spam messages?

    You need to make sure that your server is not configured to allow anonymous relay on the receive connector that receives mails from the internet.

    Leif

    Monday, November 29, 2010 8:28 AM
  • Hi Leif,

    Sorry, I have no idea on how to check this out....

    Monday, November 29, 2010 8:43 AM
  • Hi,

    You need to see if the -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient is set on the receive conector

    (I assume that we are talking exchange 2007 or exchange 2010)

    Leif

    Monday, November 29, 2010 9:07 AM
  • I have logged the Exchange 2010 SMTPReceive Log, Please kindly help to investigate how to block the Spamer. thank you very much~~

    SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders
    220 Exchange2010.Server Microsoft ESMTP MAIL Service ready at Tue, 30 Nov 2010 09:36:17 +0800
    EHLO Exchange2003.Server
    250-Exchange2010.Server Hello [192.168.0.200]
    250-SIZE
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH NTLM LOGIN
    250-X-EXPS GSSAPI NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250-XEXCH50
    250-XRDST
    250 XSHADOW
    X-EXPS GSSAPI
    334 <authentication response>
    334 <authentication response>
    SMTPSubmit SMTPSubmitForMLS SMTPAcceptAnyRecipient SMTPAcceptAuthenticationFlag SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit SMTPSendEXCH50 SMTPAcceptEXCH50 AcceptRoutingHeaders AcceptForestHeaders AcceptOrganizationHeaders SendRoutingHeaders SendForestHeaders SendOrganizationHeaders SendAs SMTPSendXShadow SMTPAcceptXShadow
    Domain\ServerName$
    235 2.7.0 Authentication successful
    MAIL FROM:Spam@SpamerDomain.com AUTH=<>
    08CD586979E8F437;2010-11-30T01:36:17.955Z;1
    250 2.1.0 Sender OK
    RCPT TO:<aab@abc.com>
    RCPT TO:<aaa@abc.com>
    RCPT TO:<aac@abc.com>
    RCPT TO:<aad@abc.com>

    Tuesday, November 30, 2010 1:49 AM
  • any ideas please?
    Tuesday, November 30, 2010 5:00 AM
  • Hi,

    Please check if your exchange server is open for relaying.

    If it is open for relaying, unauthorized users can use your server to send spam. Please follow these steps to check if this is the casue:

    1. Open EMC, expand to Server Configuration->Hub Transport->Receive Connectors.

    2. Open the properties of each the receive connector, in Authentication tab, make sure that the "Externally Secured' option is unchecked. If you have an application/server needs to relay off exchange server, please create a new receive connecor for relay and only add the IP address of this application/server to the authorized remote IP list.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Tuesday, November 30, 2010 6:21 AM
    Moderator
  • Hi Gen,

    I have checked all the Receive Connectors, all of them have already unchecked "Externally Secured" option. I suspect that some users account password is cracked by the spammer, but i don't know how to check it.

    Do you have any ideas on checking the users account that accessing the Exchange 2010 Server? Thanks a lot!

    Tuesday, November 30, 2010 8:21 AM
  • Hi,

    Please upload your 2010 SMTPReceive Log to skydrive for further research. Then please post the link here.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Tuesday, November 30, 2010 8:28 AM
    Moderator
  • Hi,

    Please upload your 2010 SMTPReceive Log to skydrive for further research. Then please post the link here.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT

    Yes, i have captured a part of SMTPReceive in above message. Please check.
    Tuesday, November 30, 2010 8:39 AM
  • Hi,

    Do you also have exchange 2003 in your organization ?

    If it's possible, please send the whole SMTPReceive log to me at v-genli#microsoft.com. Please zip the files before sending.

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Tuesday, November 30, 2010 9:24 AM
    Moderator
  • Hi,

    Do you also have exchange 2003 in your organization ?

    If it's possible, please send the whole SMTPReceive log to me at v-genli#microsoft.com. Please zip the files before sending.

     

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT


    Yes, we have (2 x Exchagne 2003) in our Organization. We are planning to migrate to Exchange 2010.|
    However, we receive a lots of Spam during the migration.

    Tuesday, November 30, 2010 9:51 AM
  • The related SMTPReceive has sent to u. Thank you~
    Wednesday, December 01, 2010 1:11 AM
  • Hi,

    Thank for sending me the log file.

    From the log, I found that the spam mails are submited from the IP 192.168.0.245. It is your local IP address. I inter that there could be a spam program running on that server which hosting the IP 192.168.0.245. Please check it.

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Thanks Gen Lin-MSFT
    Wednesday, December 01, 2010 1:58 AM
    Moderator
  • Hi Gen,

    Thanks for checking. I am thinking that the SPAM is come from 192.168.0.245 which is an 2003 Exchange Server. Therefore, i have enabled the following log.

    "Diagnostic Logging" -> "SMTP Protocol" -> "Authentication"

    However, i found that the log as following.

    Event id = 1708
    SMTP Authentication was performed successfully with client "ABC.AAA".  The authentication method was "GSSAPI" and the username was "AAA\ABC$".

    AAA = Domain Name
    ABC = Exchange 2003 Computer Name

    I would like to know why the log is showing the Exchange 2003 Computer Name instead of SMTP User Name? I want to use this log to check out which account is having the problems.

    Wednesday, December 01, 2010 3:15 AM
  • Hi,

    I would like to know why the log is showing the Exchange 2003 Computer Name instead of SMTP User Name?

    The mails are submitted from exchange 2003 to exchange 2010 server. When exchange 2003 submits the emails to exchange 2010 server, it will use the Computer Name instead of SMTP User Name for authentication (This is an authentication method between two mail servers ).

    The spammer may submit the mails to your exchange 2003 server( 192.168.0.245) and your exchange server 2003 was configured to reroute the mail through exchange 2010 server.
     
    Please check if this exchange  2003 server is opened for relaying:

    1. Open properties of the SMTP virtual server.
    2. In Access tab, click Relay button.

    You can use a relay test too to verify if this exchange 2003 server is opened for relaying:

    Please download it from my skydrive:

    http://cid-2d68430fc8d84837.office.live.com/self.aspx/Tools/Relay.exe

    In the exchange server section, type in the NetBIOS name (Computer name) of the exchange 2003 server.

    In the Recipient section, please type in your external mail address such as hotmail. If you can receive the mail, your exchange server should be opened for relaying.


    Also check the SMTP log at c:\windows\system32\logFiles on this exchange 2003 server.

     

    Wednesday, December 01, 2010 6:02 AM
    Moderator