locked
Exchange Server Sending Spam.... Need assistance RRS feed

  • Question

  • Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem.

    What can I do to stop this from happening. We are getting gray and blacklisted because of this problem.

    Really stuck here.....

    Monday, January 9, 2012 4:21 PM

Answers

  • DNS Black list, i.e. organizations that list your server as being bad and therefore others that pull information from those black list will not allow your email be sent to their systems. here is some additional info http://en.wikipedia.org/wiki/DNSBL

    You mentioned early on that "you contacted the admins of some of these offending IPs and they are infected machines" and that you disconnected them.  Where were these machines located?

    If you have stopped the problems machines from spamming on your network then you can see what list you are on use this site http://www.mxtoolbox.com/blacklists.aspx and then depending upon who's list your on you can write an email to the appropriate party to tell them what you did to overcome the problem and then beg forgiveness.  Be prepared to be chastised by them since that seems to be par for the course, just bite be sincere with your apology and usually sometime within 24-72 hours they will de-list you.

     

    NOTE:  if you have not taken care of all the offending machines do so before you contact the list holders, else they will not have mercy upon you and instead will rip you up one side and down the other...


    Troy Werelius
    www.Lucid8.com
    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope
    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Tuesday, January 10, 2012 12:43 AM
  • On Tue, 10 Jan 2012 00:07:15 +0000, HankVatJr wrote:
     
    >The offending IPs are not within our small network.
     
    Okay, so no tell us how your machine is sending the spam. Is it
    because you don't do recipient filtering and your server is accepting
    e-mail it can't deliver and then sending a NDR to the (forged) e-mail
    address of the sender? If that's the case, enable recipient filtering
    and stop accepting e-mail you can't deliver.
     
    >I have changed all users passwords,
     
    What about passwords that don't belng to "users"? Postmaster,
    webmaster, hostmaster, admin, administrator, IWAM_<server>,
    IUSR_<server>, ASPNET, etc.
     
    Is the guest account enabled?
     
    If you think the spammers are using AUTH then jack up the diagnostics
    logging level on the MSExchangeTransport object's "SMTP protocol" and
    "Authentication" categories. That'll log authentication in the
    application log (the SMTP protocol log should also be logging those
    AUTH command *and* the base64-encoded user and password they're
    using).
     
    >swept the entire network for virus infection
     
    Well, if the stuff is coming from outside your organization that's not
    a bad thing to do, but it's not going to help.
     
    >and ran several tests to determine if we are an open relay (no).
     
    Did those tests try AUTH with common attack vectors?
     
    >I would like to set it up so only our users can send mail through the server. I dont know quite how to do this but is it a good idea?
     
    No, it's not -- if by "send mail" you mean "user POP/IMAP clients".
    Use RPC-over-HTTPS from Outlook or OWA. Drop the ability for anyone
    outside your own LAN to use your server as a SMTP relay.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Tuesday, January 10, 2012 4:42 AM
  • Hi,

     

    You can post this thread to SBS forum to get more:

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

     

    Hope it helps.

     

    Thanks


    Sophia Xu

    TechNet Community Support

    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Monday, January 16, 2012 8:32 AM
  • Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem.

    What can I do to stop this from happening. We are getting gray and blacklisted because of this problem.

    Really stuck here.....


    Late to the party, yet hope to be of some help; start by ensuring that your server is only allowing relay to authenticated connections, proceed by forcing a password reset for ALL your user accounts (enforce the password complexity rules to avoid short or too simple passwords); done that, check that your server isn't an open relay by using this online tool (just enter your server IP or name and click the "test" button) and, in case the checks fail, proceed fixing the configuration; done that, go on reading here and here (including the links found at both URLs) and configuring the exchange spam filter to reject junk messages; once completed, check if the problem is solved, if not, enable the SMTP full logging and look at the generated logfiles to see "how" those external IPs are able to relay through your server (in case of doubt, feel free to post log snippets here - use the "insert code block" button to do so, please); if all ok, open this site, enter your IP address and check if your IP is blacklisted and, if so, proceed removing it from the relevant blacklists (notice that, as already suggested, this should be the LAST step and you must ensure that you solved the issue BEFORE attempting to remove your IP from blacklists)

    • Edited by ObiWan Wednesday, January 18, 2012 10:46 AM
    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Tuesday, January 17, 2012 3:32 PM

All replies

    1. Deploy AV on the client machines.
    2. Deploy AV/AS product on your exch server (SBS).

    Sukh
    Monday, January 9, 2012 6:14 PM
  • Sukh provided you some excellent information and for the client machines Microsoft Security Essentials works great and its free!

    You may also want to;

    1. Change the passwords for all users since they may be compromised

    2. Check to ensure your exchange server is not set as an open relay http://support.microsoft.com/kb/324958


    Troy Werelius
    www.Lucid8.com
    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope
    Monday, January 9, 2012 7:16 PM
  • On Mon, 9 Jan 2012 16:21:44 +0000, HankVatJr wrote:
     
    >Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem.
     
    Are those IP address in YOUR network?
     
    The way that you describe the problem makes it sound as if you're
    accepting e-mail sent to addresses that don't exist in your directory.
    YOu shuld be able to fix that pretty easily by enabling recipient
    filtering and refusing to accept e-mail you can't deliver to local
    mailboxes. Of course, this being SBS, there's probably some sort of
    wizard that you'll have to use rather than the Exchange System Manager
    -- so you should move your question to the SBS forum whenre you should
    get an suitable answer for your environment.
     
    >What can I do to stop this from happening. We are getting gray and blacklisted because of this problem.
     
    If you're not already using any DNSBLs (I'm not a big fan of them),
    consider using one or two. Again, asking how to do this in the SBS
    forum would get you a more accurate answer.
     
    If you're not using the Exchange Intelligent Mail Filter, enable it.
    Again, asking in the SBS forum for instruction rather than using the
    ESM and risking causing problems that a "wizard" would know how to
    avoid.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, January 9, 2012 10:50 PM
  • Thanks,

    The offending IPs are not within our small network. I have changed all users passwords, swept the entire network for virus infection and ran several tests to determine if we are an open relay (no).

    I would like to set it up so only our users can send mail through the server. I dont know quite how to do this but is it a good idea?

     

    Tuesday, January 10, 2012 12:07 AM
  • I have done both of these recently and has not made a difference. (not an open relay)
    Tuesday, January 10, 2012 12:07 AM
  • This deployment has been done and all is infection free
    Tuesday, January 10, 2012 12:08 AM
  • Whate are DNSBLs?
    Tuesday, January 10, 2012 12:16 AM
  • DNS Black list, i.e. organizations that list your server as being bad and therefore others that pull information from those black list will not allow your email be sent to their systems. here is some additional info http://en.wikipedia.org/wiki/DNSBL

    You mentioned early on that "you contacted the admins of some of these offending IPs and they are infected machines" and that you disconnected them.  Where were these machines located?

    If you have stopped the problems machines from spamming on your network then you can see what list you are on use this site http://www.mxtoolbox.com/blacklists.aspx and then depending upon who's list your on you can write an email to the appropriate party to tell them what you did to overcome the problem and then beg forgiveness.  Be prepared to be chastised by them since that seems to be par for the course, just bite be sincere with your apology and usually sometime within 24-72 hours they will de-list you.

     

    NOTE:  if you have not taken care of all the offending machines do so before you contact the list holders, else they will not have mercy upon you and instead will rip you up one side and down the other...


    Troy Werelius
    www.Lucid8.com
    Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope
    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Tuesday, January 10, 2012 12:43 AM
  • On Tue, 10 Jan 2012 00:07:15 +0000, HankVatJr wrote:
     
    >The offending IPs are not within our small network.
     
    Okay, so no tell us how your machine is sending the spam. Is it
    because you don't do recipient filtering and your server is accepting
    e-mail it can't deliver and then sending a NDR to the (forged) e-mail
    address of the sender? If that's the case, enable recipient filtering
    and stop accepting e-mail you can't deliver.
     
    >I have changed all users passwords,
     
    What about passwords that don't belng to "users"? Postmaster,
    webmaster, hostmaster, admin, administrator, IWAM_<server>,
    IUSR_<server>, ASPNET, etc.
     
    Is the guest account enabled?
     
    If you think the spammers are using AUTH then jack up the diagnostics
    logging level on the MSExchangeTransport object's "SMTP protocol" and
    "Authentication" categories. That'll log authentication in the
    application log (the SMTP protocol log should also be logging those
    AUTH command *and* the base64-encoded user and password they're
    using).
     
    >swept the entire network for virus infection
     
    Well, if the stuff is coming from outside your organization that's not
    a bad thing to do, but it's not going to help.
     
    >and ran several tests to determine if we are an open relay (no).
     
    Did those tests try AUTH with common attack vectors?
     
    >I would like to set it up so only our users can send mail through the server. I dont know quite how to do this but is it a good idea?
     
    No, it's not -- if by "send mail" you mean "user POP/IMAP clients".
    Use RPC-over-HTTPS from Outlook or OWA. Drop the ability for anyone
    outside your own LAN to use your server as a SMTP relay.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Tuesday, January 10, 2012 4:42 AM
  • Cab you give an example of a message which is sent out?

    Can you show the from and to headers?


    Sukh
    Tuesday, January 10, 2012 9:30 AM
  • Hi,

     

    You can post this thread to SBS forum to get more:

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads

     

    Hope it helps.

     

    Thanks


    Sophia Xu

    TechNet Community Support

    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Monday, January 16, 2012 8:32 AM
  • Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem.

    What can I do to stop this from happening. We are getting gray and blacklisted because of this problem.

    Really stuck here.....


    Late to the party, yet hope to be of some help; start by ensuring that your server is only allowing relay to authenticated connections, proceed by forcing a password reset for ALL your user accounts (enforce the password complexity rules to avoid short or too simple passwords); done that, check that your server isn't an open relay by using this online tool (just enter your server IP or name and click the "test" button) and, in case the checks fail, proceed fixing the configuration; done that, go on reading here and here (including the links found at both URLs) and configuring the exchange spam filter to reject junk messages; once completed, check if the problem is solved, if not, enable the SMTP full logging and look at the generated logfiles to see "how" those external IPs are able to relay through your server (in case of doubt, feel free to post log snippets here - use the "insert code block" button to do so, please); if all ok, open this site, enter your IP address and check if your IP is blacklisted and, if so, proceed removing it from the relevant blacklists (notice that, as already suggested, this should be the LAST step and you must ensure that you solved the issue BEFORE attempting to remove your IP from blacklists)

    • Edited by ObiWan Wednesday, January 18, 2012 10:46 AM
    • Marked as answer by Sophia Xu Friday, January 27, 2012 1:42 AM
    Tuesday, January 17, 2012 3:32 PM