none
Massive SPAM and Virus Sending

    Question

  • Dear NC,
    i have lots of SPAM which is relayed through one of my Exchange 2013 Servers. Sending Mails via SMTP is allowed for Exchange Users to let them send with Clients like Thunderbird. I have allready enabled verbose logging but i am not able to identify from which IP or even better Useraccount the SPAM is send. For me it looks like (not for sure of course), that someone uses one of the AD Accounts to send SPAM because of a weak Username/Password combination directly via SMTP through the Exchange Server.

    How can i identify the Sending Useraccount. I cannot find anyting about that in the Frontend SMTP Receive Logs or Event Logs? The OriginalClientIp ist allways empty.
    Does anybody have a good howto for me....this would be very kind.

    Thanks a lot, Bernd

    Thursday, February 25, 2016 1:36 PM

All replies

  • If you're allowing unauthenticated SMTP then you can't because the user is likely unauthenticated.  That's why you shouldn't allow that and instead configure clients to use SSL port 587 and authenticate.

    If you have protocol logging enabled on your receive connector where the SMTP is being submitted, you can look in the protocol log.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, February 26, 2016 2:50 AM
    Moderator
  • Create an ANTI-RELAY transport rule.

    Check if the issue is resolved, as this rule will not let any kind of SMTP relay thing work. 

    And if you happen to have printers and scanners for SMTP relay, you can put them in exception.  

    Secondly, you can use message tracking for further investigation 


    MCSA, MCP, Microsoft Specialist - Microsoft Azure

    Friday, February 26, 2016 6:19 AM
  • How would that be better than restricting the hosts that can relay to those that must relay?

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, February 26, 2016 7:31 AM
    Moderator
  • All Users have to authenticated to send SMTP Mail. The Loglevel ist verbose but in SMTP Log no username is logged - this is really ugly!
    Friday, February 26, 2016 7:34 AM
  • Messagetracking and SMTP Lgging does not really help because nowhere is a username of an authenticated SMTP Sender logged.
    Friday, February 26, 2016 7:36 AM
  • Not possible because of mobile Clients with Mail-Clients like Firebird etc. in use :(
    Friday, February 26, 2016 7:38 AM
  • Hi,

    Message tracking log and SMTP log will record all message deliver, please use it to double confirm.

    Also, please run below command to determine which receive connectors are external relay connectors:

    Get-ReceiveConnector | Get-ADPermission | Where {$_.User -Like '*anon*' -And $_.ExtendedRights -Like 'ms-Exch-SMTP-Accept-Any-Recipient'} | ft Identity, User, ExtendedRights

    If it configure as open relay, it might be cause spam. Then try to remove it for testing.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Allen Wang
    TechNet Community Support

    Friday, February 26, 2016 10:01 AM
    Moderator
  • It is no OPEN RELAY! Every User has to authenticate.
    No Username ist loggend in SMTP Log when sending mails by SMTP Client with an authenticated user.
    Friday, February 26, 2016 10:08 AM
  • Have you tried configuring those clients to authenticate?  Most modern ones support that.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, February 26, 2016 5:22 PM
    Moderator
  • SMTP protocol logging should show the logon transaction.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, February 26, 2016 5:23 PM
    Moderator
  • SMTP protocol logging should show the logon transaction.
    Unfortunately not, no Username is logged.
    Monday, February 29, 2016 7:54 AM
  • They do. The challenge is to locate that User/Client that Password has been cracked without having all users to change their Password....
    Monday, February 29, 2016 7:55 AM
  • It should show the source IP address, though, unless your Exchange servers are behind a hardware load balancer that doesn't preserve the source IP address.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Monday, February 29, 2016 8:02 AM
    Moderator
  • IPs are logged, but that helps not really because that are hundrets and thousands and whitout the username it cannot be associated to the correct useraccount. The MS Exchange SMTP Logging is really crap!
    Monday, February 29, 2016 10:29 AM
  • Exact same problem!

    Unable to determine which user accounts are used to send phishing through our Default authenticated only connector.

    SMTP logs only show external IPs and unamanaged FROM addresses...

    Friday, March 11, 2016 8:54 AM
  • Absolutely right!

    Maybe someone can ask Microsoft about this..?!
    In my personal opinion SMTP logging should definitely be more detailed!

    Friday, March 11, 2016 8:58 AM
  • Exchange Online Protection is the best solution for the organization.
    Friday, March 11, 2016 6:36 PM
  • While that might be a fine service, it won't do much for his question, which is to find out which internal system is sending mail.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Friday, March 11, 2016 6:41 PM
    Moderator