Exchange 2007 server send out spam

Question

Our exchange server is sending out spam, as it has been listed on various spam blacklist and not to sure know how to stop it.

I've started with verify SMTP with a site like http://www.pagasa.net/test-smtp-server/, so relay has been ruled out.

I started to suspected that it's came from internal user's PC, which has been infected by spam trojan or zombie and piggyback on log-on user's AD authentication performs a broadcast (from the log the source ip is 255.255.255.255) doing a try and error and hopefully try to landed on a SMTP server within the lan... Is my assumption correct?

Any help would be very greatly appreciated.

Thanks

Mick

score 1 · Answer 1 · answered Jul 25 '10 at 02:38

1

Possible. Try running logs, identify the user, look at some spam and see where it originated from ;) Voila.

But the scenario makes sense.

answered Jul 25 '10 at 02:38

TomTom

51,649
7
54
136

score 0 · Accepted Answer · answered Jul 25 '10 at 03:10

A more likely scenario is that you have a PC which is infected and sending out spam itself. A computer does not need to go through your server in order to send out spam. There are a few ways to prevent this from occurring or effecting your ability to send out email:

Block outbound access to port 25 from all computers on your network. Allow an exception only for your Exchange server
Give your Exchange server its own external IP address. This can be accomplished with most business grade routers and firewalls provided your ISP has given you more than a single address.
Use an email sanitization service like Postini or Exchange Defender to process all outgoing email for your Exchange server.
Use a good anti-virus on your workstations...ESPECIALLY if you give your users administrative rights

Thanks, only the exchange server port 25 is open, so has to be sent out from the exchange server. Is there any possible way to limit exchange server only sends out mails that's coming from Outlook client? — Mofoster, Jul 25 '10 at 14:22
I think it's possible that you're still not totally understanding it. Have you checked your logs to ensure that this is the case? If you'd like to limit the ability for clients on your internal network to send out mail through your server, edit the receive connectors in Exchange to remove the ip address range of your network. — Jason Berg, Jul 25 '10 at 14:46

score 0 · Answer 3 · answered Jul 31 '10 at 19:12

I agree with Tom. The best course of action here is to review the logs and trace back where the spam is coming from. Once you have more information, you can implement a solution that will resolve the issue once and for all.

Also, keep in mind that some blocklists will provide additional information (including email headers and specific reasons for block).

-M

score 0 · Answer 4 · answered Aug 30 '10 at 21:22

As a preventative measure, I'd set up quotas, with admin alerts whenever a user tries to exceed them. Set them high, like: 100 emails/hour, 15/minute. This will help you find those pesky infected machines before you get on every blocklist under the sun.

Exchange 2007 server send out spam

4 Answers4

Linked