Exchange 2003 - tracking spam
-
Wednesday, January 18, 2012 9:16 PM
I inherited a Windows 2003 server with Exchange built in. I have installed all the updates and run virus on it and the other servers on the system. Also from reading the board determined that it is not an open exchange so in concept only valid user are able to send e-mail.
From looking that the System Manger -> Servers -> <server> -> Queues I can see there are e-mails that should not be there.
So the basic question is how do I determine where they are coming from and how to stop them.
As a side note I did get one of the e-mail from a spam company and blocked the IP address where it came from which stopped it for a while but I can't figure out where to get that information from exchange and it seems like the hard way of doing this.
John J. Hughes II
www.functioninternational.com
All Replies
-
Wednesday, January 18, 2012 10:50 PM
- Check the message headers and see what they say
- Are you sure they're not NDR?
- Also, to reduce this, I suggest that you deploy Av/AS on your Exchange server
Sukh -
Thursday, January 19, 2012 12:59 AM
Not sure about anything at this point but would guess they are message. We have AV/AS but it only deals with incoming spam, not sending. Can you recommend a product for handling both or at least outgoing.
I have verified everything based on the below link...
http://technet.microsoft.com/en-us/magazine/2006.01.stopspam.aspx
How would I go about seeing the message headers? I look in the queues and can see the message properties but other than subject/from/too/size/status I don't see anything about headers.
Also is it possible to see who the user is in the current session?
John J. Hughes II
www.functioninternational.com -
Thursday, January 19, 2012 7:54 AM
The most common reason for the problem you are seeing is as follows:
1. Spammers from outside are sending you spam to invalid recipients.
2. Your Exchange is generating NDRs for these recipients.The solution to this is to reject emails to invalid recipients immediately without generating NDRs. This is done by enabling:
'Filter emails who are not in the Directory'...under Global Settings | Message Delivery <properties> | Recipient Filtering
You should also enable tar pitting with that. Check full details from here:
http://www.exchangeinbox.com/article.aspx?i=49
IMF Tune - Anti-spam extending the Exchange 2003, 2007, 2010 IMF/Content Filter - http://www.windeveloper.com/imftune/ -
Thursday, January 19, 2012 2:11 PM
Ok the 'filter receipients who are not in the directory' and 'tar pitting' were both already enabled.
I did find a bunch of users from 1 IP address so I blocked it and also blocked another IP address and ran the 'aqadmcli.exe' program to purge my queue. I currently have no spam going though, again.
I assume an account has been compermised so I am going though the logs in an attempt to figure out who it is and change their password. Not sure how much luck I will have with that one.
John J. Hughes II
www.functioninternational.com -
Thursday, January 19, 2012 10:05 PM
Ok first of all thanks for the help so far...
Ok between setting and black list for both the IP address the the senders address I have stopped the flow. I am assuming this is will not last long with a better fix so if someone could help me understand some settings.
SMTP Virtual Server Properties -> Access (tab) -> Authentication
There are a few check boxes and a user button. I have set the users button to windows users but I also have the other three main check boxes set. I would think that setting the "Anonymous access" option would be bad but if I uncheck it a lot of people can't see e-mail in our company. It seems they have setup e-mail address that don't have windows user names related to them. Is there a way to uncheck "Anonymous access" and still allow non-user to send e-mail?
John J. Hughes II
www.functioninternational.com -
Friday, January 20, 2012 3:53 AMModerator
Hi John,
Is there a way to uncheck "Anonymous access" and still allow non-user to send e-mail?
No, If you disable anonymous access on your server, unauthorized user cannot access it.
Note: Do not disable anonymous access on your Internet bridgehead SMTP virtual servers. SMTP virtual servers that accept mail from the Internet must allow anonymous access.
You can know detail from this document:
Securing Your Exchange Server
http://technet.microsoft.com/en-us/library/bb123843(EXCHG.65).aspx
Thanks,
Evan
Evan Liu
TechNet Community Support
- Edited by Evan LiuModerator Friday, January 20, 2012 3:54 AM
-
Friday, January 20, 2012 4:24 PM
-
Friday, January 20, 2012 8:24 PM
Have you got a AS product
Have you setup SPF records?
Sukh -
Friday, January 20, 2012 8:45 PM
We have an incoming AS product (MailWatch), but it does not hande outgoing from what I can tell.
Did not know what SPF is but from a quick search "Sender Policy Framework", sounds like a white list of sort, that would be very helpful I think.
Any suggestion on configuration? I will start searching now...
John J. Hughes II
www.functioninternational.com -
Friday, January 20, 2012 9:35 PM
If spam in generated from inside then
1. Make sure your clients have AV
2. Put AS on your exchange server.
3. SPF - Specify what servers are allowed to send email for your smtp domain.
Sukh -
Friday, January 20, 2012 9:50 PM
Well the AV on clients is hard to control :(
Can you recommend a AS for outgoing?
I have added SPF to the DNS using the MS wizard. The wizard now shows spf.domain.com as having an SPF, is that how must look it up? The wizard does not show for domain.com without the spf.
So far I am blocking the spam but blocking IP address. I look in the "SMTP / Current User" and all of a sudden there are dozens of user with external IP address. I terminate all and then block the address. I use the aqadmcli.exe tool to purge the spam. I also black list the domain of the email, the list is growing. Then everything is ok for a while (but I am losing).
So in my opinon the spam from outsite but I am not sure how to block the spamers and not block my own users. If it is one of our user I will change their password and block them until they have fixed there computer but I am still trying to determine what user name is connecting to the server, is there a way of determining this.
John J. Hughes II
www.functioninternational.com -
Friday, January 20, 2012 10:50 PM
The SPF records need to be created on the public DNS. Need to be created properly.
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
I still dont undertsand what messages you are seeing, can you paste the headers of one message here
Sukh -
Saturday, January 21, 2012 1:59 PM
I used the wizard from you link to create the SPF records. The wizard is able to put the records.
Our server host the pulbic DNS.
I don't have an spam on the system at the moment, will try to send more data when I do...
But I don't know how get the headers, could you explain.
Exchange -> Servers -> <name> -> queues -> find messages -> properties. (gives me the properites, no headers)
Exchange -> Servers -> <name> -> SMTP -> virtual server -> current users. (gives me IP of logged on users)
*****************
I did find in directory "C:\Program Files\Exchsrvr\Mailroot\vsi 1\Filter" a bunch of TMP file which seem to contain message. Below is one:
Received: from User ([115.241.183.197]) by exchange.deliberant.net with Microsoft SMTPSVC(6.0.3790.4675);
Fri, 20 Jan 2012 22:01:05 -0500
Reply-To: <microawrdclaim@9.cn>
From: "Msn/ Yahoo Lottery Board UK."<microawrdclaims@hotmail.com>
Subject: Congratulations You Email Have Won 500,000GBP
Date: Sat, 21 Jan 2012 08:30:52 +0530
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_0011_01C2A9A6.319518AC"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: microawrdclaims@hotmail.com
Message-ID: <DLBSBSnLOyDc41W2ufy00000559@exchange.deliberant.net>
X-OriginalArrivalTime: 21 Jan 2012 03:01:05.0769 (UTC) FILETIME=[EABF4590:01CCD7E8]This is a multi-part message in MIME format.
------=_NextPart_000_0011_01C2A9A6.319518AC
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY bgcolor=#FFFFFF leftmargin=5 topmargin=5 rightmargin=5 bottommargin=5>
<FONT size=2 color=#000000 face="Arial">
John J. Hughes II
www.functioninternational.com -
Saturday, January 21, 2012 5:03 PMwhose domain is @9.cn?
Sukh -
Saturday, January 21, 2012 9:54 PM
Your guess is as good as mine, it has nothing to do with our company.
http://www.whois.net/whois/9.cn
[Querying whois.cnnic.net.cn]
[whois.cnnic.net.cn]
Domain Name: 9.cn
ROID: 20030311s10001s00033412-cn
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientTransferProhibited
Registrant ID: ename_f9oofhze93
Registrant Organization: 厦门易名网络科技有限公司
Registrant Name: 孔德菁
Registrant Email: www@ename.cn
Sponsoring Registrar: 厦门易名网络科技有限公司
Name Server:ns1.ename.net
Name Server:ns2.ename.net
Name Server:ns3.ename.net
Name Server:ns4.ename.net
Name Server:ns5.ename.net
Name Server:ns6.ename.net
Registration Date: 2003-03-17 12:20:05
Expiration Date: 2021-03-17 12:48:36
Dnssec Deployment: N(Bing translation: Xiamen ename network technology Corporation / Kong Dejing)
John J. Hughes II
www.functioninternational.com -
Saturday, January 21, 2012 9:55 PM
This is another header... again none of the data in the mail is for our company.
Received: from User ([65.49.88.241]) by exchange.deliberant.net with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 21 Jan 2012 15:27:48 -0500
Reply-To: <davemehma@blumail.org>
From: "David Mehma"<mehmamehma@mail.mn>
To: mehmamehma@mail.mn
Subject: We need your guidance
Date: Sat, 21 Jan 2012 12:27:54 -0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Return-Path: mehmamehma@mail.mn
Message-ID: <DLBSBSAs0AokvJOJmlc00000ee4@exchange.deliberant.net>
X-OriginalArrivalTime: 21 Jan 2012 20:27:49.0055 (UTC) FILETIME=[246C34F0:01CCD87B]Compliments of the season,
John J. Hughes II
www.functioninternational.com -
Saturday, January 21, 2012 10:32 PM
Go to MX toolbox and put in your MX info and see what the resutls are for an SMTP relay test.
Sukh -
Saturday, January 21, 2012 11:20 PM
It says relay access denied.
Session Transcript:
HELO please-read-policy.mxtoolbox.com 250 spam.deliberant.com [31 ms] MAIL FROM: <supertool@mxtoolbox.com> 250 2.1.0 Ok [31 ms] RCPT TO: <test@example.com> 554 5.7.1 <test@example.com>: Relay access denied [47 ms] QUIT 221 2.0.0 Bye [31 ms]
John J. Hughes II
www.functioninternational.com -
Saturday, January 21, 2012 11:48 PM
Use message tracking and see if you can any message info for one of the messages above in there.
Also, check your SMTP logs and see what they say.
Sukh -
Sunday, January 22, 2012 2:44 AM
Ok after looking at them them what?
Message tracking - Message history
left shows
- <server name>
- ---- boogeyman.armory.com
- ---- phurmey.dirac.net
- ---- mx.fakemx.net
right shows
- SMTP: Message submitted to advanced queuing
- SMTP: stated message submission to advance queue
- SMTP: Message submitted to caegorizer
- SMTP: Message categorized and queued for routing
- SMTP: Message routed and queued for remote delivery
- SMTP: Started outbound transfer of message
- .... (lot more basically it fails and generates a NDR)
The log file, a few lines at least. From what I can tell "User" sent them... any way to get a better decription?
# Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address 2012-1-9 0:0:4 GMT 75.147.74.82 User - DLBSBS 10.0.5.11 tatyana.heredia@turner.com 1020 DLBSBSN33HFnwpGR88100003ccd@exchange.deliberant.net 3 0 91347 50 2012-1-8 14:24:10 GMT 0 Version: 6.0.3790.4675 - MisteryShopper mistery.shopper@mistery.com - 2012-1-9 0:0:4 GMT 75.147.74.82 User - DLBSBS 10.0.5.11 tatyanak@ukr.net 1020 DLBSBSN33HFnwpGR88100003ccd@exchange.deliberant.net 3 0 91347 50 2012-1-8 14:24:10 GMT 0 Version: 6.0.3790.4675 - MisteryShopper mistery.shopper@mistery.com - 2012-1-9 0:0:4 GMT 75.147.74.82 User - DLBSBS 10.0.5.11 tatsugrl@telus.net 1020 DLBSBSN33HFnwpGR88100003ccd@exchange.deliberant.net 3 0 91347 50 2012-1-8 14:24:10 GMT 0 Version: 6.0.3790.4675 - MisteryShopper mistery.shopper@mistery.com -
John J. Hughes II
www.functioninternational.com -
Sunday, January 22, 2012 3:37 AMIt seems like that it may be getting sent internally from a client. Does it say "user" in the log or did you replace this? If this is the case, this PCuser needs to be tracked down. You can try using exmerge and searching the databases for this subject. Or if you know it's happening every x minutes, use ExMon and see who is connected to Exch at the time and to narrow it down.
Sukh -
Sunday, January 22, 2012 2:59 PM
Yes it says "User" in the log, I did not change it. I don't have a "User" account so I am not sure what the del with that is. Normally when users log in the name is correct but the spam is not.
I have exmon running an will just leave it running for a while but it looks like it only shows currently logged on users, not a history?
Still looking for a way to read the "ETL" file in the exmon directory. (I found tracerpt)
I don't see how exmerge is going to help?
And so far I have not figured out how to determine which user is sending the spam but I agree it is most likely a user on our system.
John J. Hughes II
www.functioninternational.com- Edited by jjhii Sunday, January 22, 2012 3:11 PM found trace rpt
-
Sunday, January 22, 2012 6:18 PM
exmon will only show active users.
I was thinking along the idea to use exmon to see the active user, then keep an eye on the spam or check queues, then look at th eactive users in Exmon and use exmerge to try and search their mailboxes for that subject if it's sent from that mailbox.
Or the case may be, the password has been comprimised and the infected PC is using those authenticated credentials. If you can monitor exmon and see the spam at the same time, see who is connected at that time and scan those PC's and ask those users to change there password.
Sukh -
Monday, January 23, 2012 2:59 PM
Again thanks for the help,
Ok I will continue to monitor, there has been no mass attached latetly but I am sure it will start again shortly.
John J. Hughes II
www.functioninternational.com -
Tuesday, January 24, 2012 2:07 AM
Ok, as far as I can tell the last time I was hit nobody was logged into the server, exmon does not report anyone at least.
I noticed that exmon does not report pop/smtp and a couple others so it is not help.
Now what?
John J. Hughes II
www.functioninternational.com -
Wednesday, January 25, 2012 4:38 PM I would advise that you get AV installed in your clients and manage it. If account details have been compromised then you can do much but change all accounts, however this really doesnt prevent it from happening again, and there isn't much you can do on the Exch side apart from what has already been mentioned.
Sukh- Marked As Answer by jjhii Wednesday, January 25, 2012 6:58 PM
-
Wednesday, January 25, 2012 6:43 PMThanks again for the help... I am talking to management about either a spam solution GFI or Vircom... Maybe going to a hosted exchange... See what they say.
John J. Hughes II
www.functioninternational.com -
Friday, January 27, 2012 1:00 AMLooks like management is going to go with Google Business Solutions, seems Exhange it just too much trouble unless you have a complete IT staff to fight with it.
John J. Hughes II
www.functioninternational.com -
Friday, January 27, 2012 1:05 AMYou can maybe compare with O365 or Exchange FOPE
Sukh
.png)
