-4

We have an exchange server 2003 and our IP address was blacklisted.

When I check the Queue folder in the exchange server root directory, there are tons of Delivery Status Notification (Delay/Failure) emails to be sent out. The email has from: postmaster@ourdomain.com and sent out to different email addresses.

When this happened before, I saw what the IP address (outside our network) in the current sessions that looks like the culprit. So I added it in the blacklist using connection filter in exchange server. This time, when I checked Current Sessions, there were no active connections. But there are still a lot of emails to be sent out from the Queue folder. I have disabled SMTP for now.

I've read in link that if I disable Allow Anonymous Access then I won't be able to receive incoming email from the internet. In the Relay Restrictions dialog, only the localhost computer is in the list. And I have "Allow all computers which successfully authenticate" checked.

How can I find out who is sending out the spam?

Sample email content:

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

       twhitley@caramail.com

Header:

From: postmaster@ourdomain.com
To: info@dhs.gov
Date: Mon, 27 Jan 2014 22:34:47 -0800
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
    boundary="xxxxourdomain.com"
X-DSNContext: 7ce717b1 - 1194 - 00000002 - 00000000
Message-ID: <xxxxxxxx@ourdomain.com>
Subject: Delivery Status Notification (Failure)
John Ng
  • 135
  • 1
  • 5
  • 3
    `How can I find out who is sending out the spam?` Ask your employees if they're a piece of malware. When one of them says "yes," that's your spammer. – HopelessN00b Jan 28 '14 at 22:25
  • @HopelessN00b I believe this would be from outside our network and not with in the local office network. – John Ng Jan 28 '14 at 22:26
  • 7
    Well, that's even worse, then. Stop running an open email relay. – HopelessN00b Jan 28 '14 at 22:28
  • 1
    @HopelessN00b I have checked for open relay already and our server is not. I'm not really an expert on server admin. But what else could it possibly be? – John Ng Jan 28 '14 at 22:30
  • 2
    look at the bounces, and look at the auth log, If you allow Auth, it is quite possible one of your users has had their Auth Credentials stolen, and being abused. Or it could be that you are getting tons of incoming to invalid recipients. and exchange is accepting and the bouncing to the envelope sender so you are a blowback source. looking at the DSN might help – Doon Jan 28 '14 at 22:45
  • @Doon Thanks, logging was disabled. I just enabled it and will wait to see what happens again. – John Ng Jan 28 '14 at 22:55
  • 5
    If you don't have a competent mail administrator, why are you running your own mail server? Please don't take this the wrong way, but, you *should* be blacklisted. – David Schwartz Jan 28 '14 at 23:15
  • @Doon after enabling the auth logs, I found one user that has been logging in weird hours and that user is not even using that email account any more. Thanks for your help! – John Ng Jan 29 '14 at 17:11
  • 1
    This might be an atrocity, but really the question shouldn't be closed. Helping people who don't know what they're doing fix this stuff reduces the amount of spam on the internet. – Falcon Momot Feb 01 '14 at 23:44
  • @FalconMomot I was actually surprised that I got a lot of criticisms instead of help from this post. I guess most experts would prefer to hire an experienced administrator instead of having to teach new ones. – John Ng Feb 03 '14 at 05:24

2 Answers2

5

"When this happened before, I saw what the IP address (outside our network) in the current sessions that looks like the culprit. So I added it in the blacklist using connection filter in exchange server."

So what you are saying is anyone on the internet that can find your mail server will be allowed to send mail through it, except for this one ip address that you've specifically blocked. This is horrible and the wrong way to run a mail server. You MUST disallow relaying by default, and selectively allow relaying only for your internal network and or trusted addresses.

If (big IF) as your comment says above, you are not an open relay, then how was that address sending through you previously? One of your authenticated sender accounts may be compromised, but you ought to see that in the logs.

user16081-JoeT
  • 1,948
  • 11
  • 18
  • I used mxtoolbox.com to check if our server is an open relay and it says that it's not. I'm not really sure what the proper setup for exchange server is. I will update my post for further description of our setup. – John Ng Jan 28 '14 at 22:38
  • 4
    @JohnNg **"I'm not really sure what the proper setup for exchange server is."** With respect, the correct solution to the problem, then, is to hire someone who is and ask them to ensure the system is properly configured. – Rob Moir Jan 28 '14 at 22:45
  • Sure, but this is more of a secondary email domain and we have the primary mail server hosted by a third party provider. I'm trying to maintain this mail server just so I can learn more about server admin. – John Ng Jan 28 '14 at 22:51
  • 4
    @JohnNg if all this is to you is an learning opportunity then this server absolutely and positively should not be connected to the internet. You're currently maintaining the IT equivalent of a public nuisance (http://en.wikipedia.org/wiki/Public_nuisance) for your own entertainment and you'll get a well deserved email blacklisting for your trouble. – Rob Moir Jan 28 '14 at 22:56
  • @RobM It is a secondary email server, but it is functioning and is still being used from time to time. If this is not connected to the internet, then I probably won't even have this problem to begin with. – John Ng Jan 28 '14 at 23:00
  • 2
    @JohnNg In addition to what RobM said, "learning" on an Exchange 2003 server is a waste of time. It's so old, out-of-date and incredibly different from the newer versions of Exchange that everything you learn on it is going to be worthless. May as well be riding a tricycle to learn how to drive. – HopelessN00b Jan 28 '14 at 23:07
  • What @HopelessN00b said about Exchange 2003 being out of date. I almost answered with some PowerShell snippets to help you parse out the Message Tracking Logs faster until I realized, d'oh, 2k3. Seriously. It's ten years old. Download an eval of 2013 and learn on that, just don't connect it to the Internet. http://technet.microsoft.com/en-us/evalcenter/hh973395.aspx – Katherine Villyard Jan 29 '14 at 01:25
2

It turned out to be a compromised account. One of the users (no longer actively using this email account) has been hacked and using that account to authenticate to the SMTP server. I found this out after enabling the authentication logs in the event viewer for MsExchange Transport. Thanks a lot to @Doon for the tip.

John Ng
  • 135
  • 1
  • 5
  • This is the trend lately in sending spam; it's a great way to send legit-looking mail and ride on your hard work establishing a reputation. – Falcon Momot Feb 03 '14 at 06:38