0

I've got a Windows Exchange Server 2007 that appears to be sending mail when I've confirmed nobody is on the network. I'm trying to determine if the exchange server is compromised or if a client on the network is spewing out spam that is eventually being sent out the exchange server.

I'm using wireshark and configured smtp and ip.src==mail.server.ip in the filter and can see the SMTP sending to outside IP's from the Exchange Server when nobody is at the office.

It appears the Outlook 2010 email program installed on the clients uses a different protocol to transmit the email from the client to the Exchange Server (DCERPC).

This is making it difficult to pinpoint where the spam is occurring. Can anyone shed some light on additional filters or a process to find where the spam is originating?

Rocco The Taco
  • 143
  • 7
  • 1
    Exchange could very well be retrying to send emails that it has been unable to deliver to to issues on the recipient end. Expecting that Exchange only sends outgoing email when users are in the office is a bit of a misunderstanding of how SMTP works. That being said, there are better ways to do this. Use the Message Tracking tool to track outgoing messages. – joeqwerty Nov 09 '18 at 15:10
  • Yes, I did notice that and we removed those stuck in queue. I'll research the tracking too, thanks. – Rocco The Taco Nov 09 '18 at 15:14
  • To further my comment, what makes you think this email is spam? What evidence do you have that it's spam? I'm also assuming that users have access to their mailboxes from outside of the office, such as with their phones or via OWA. These are all things to consider. It may be that you're on a wild goose chase. – joeqwerty Nov 09 '18 at 17:24
  • We apparently have a low sender score due to sender rejected emails. I've implemented SPF and _DMARC but the low sender score persists. They are reporting our external firewall IP for exchange as the culprit with tons of traffic above normal. We've changed all the passwords and blocked ALL traffic outgoing on that firewall unless it's coming from the email server. Using the tracking tool you suggested we are not seeing any spam coming from clients. I'm suspicious that somebody is using an exploit to send email from the server but not using exchange? Really kind of lost. – Rocco The Taco Nov 09 '18 at 21:35
  • make sure relaying is disabled on exchange, make sure there is a rule in the firewall/router blocking outgoing emails except those originating from the exchange's ip, make sure SPF is correctly configured to only allow sending from that ip. To answer the posted q: outlook uses MAPI over HTTP newer 2010+... or RPC (older) or OutlookAnywhere (macs and cellular Outlook) https://docs.microsoft.com/es-es/Exchange/clients/mapi-over-http/mapi-over-http?view=exchserver-2019 – Rostol Jan 26 '19 at 06:59

0 Answers0