Announcement

Collapse
No announcement yet.

Internal Spam

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Internal Spam

    HI All,

    How do i find who is trying to send spam ?

    My mail server got lots of queues to un known domain and building up so quickly?

    Please help?
    AusNetIT Solutions

    Web Design | Web Hosting | SEO | IT Support

  • #2
    Re: Internal Spam

    In the Queue Manager in the ESM, double click the queue and you should see the list of emails in the queue, with the senders address.

    Regards

    Comment


    • #3
      Re: Internal Spam

      Sending spam internally can cause that user to be fired in many places, you better get him and bring a big stick.

      Also note that it's possible that it's not someone who's deliberately sending the spam, it's more likely a compromised machine, perhaps even the server itself (or one of the servers). Make sure you use a good AV on the Exchange servers, and on all the client machines.
      Cheers,

      Daniel Petri
      Microsoft Most Valuable Professional - Active Directory Directory Services
      MCSA/E, MCTS, MCITP, MCT

      Comment


      • #4
        Re: Internal Spam

        sniff the traffic leaving the building as well... if the internal clients are allowed to use 25 outbound, then they can send spam independant of the exchange server. it will also give you an IP of the infected station... the only 25 traffic i should be seeing is from my exchange servers.
        its easier to beg forgiveness than ask permission.
        Give karma where karma is due...

        Comment


        • #5
          Re: Internal Spam

          I would be very surprised if this was an internal attack. That would be very stupid thing to do as it would be easily spotted.

          It could be a user who has sent something to all of his buddies. Have you looked at the queues to see who sent them?

          If the messages are "from" [email protected] then it is probably from outside. Could be an NDR attack.

          If the messages are not from an internal user at all then you could have a compromised account. The administrator account is often attacked as Exchange servers have authenticated relaying turned on by default.
          Changing the administrator account password then restarting the server can stop email from coming in, then you need to clean up the queues.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Internal Spam

            I strongly recommend you turn on recipient filtering and filter all messages that are not intended for recipients that are in your Active Directory. I suspect what you are seeing is NDR's for invalid users.

            This is done on the SMTP Virtual Server and on the Message Delivery properties under Global Settings.

            Jim McBee

            Comment


            • #7
              Re: Internal Spam

              Originally posted by jmcbee View Post
              I strongly recommend you turn on recipient filtering and filter all messages that are not intended for recipients that are in your Active Directory. I suspect what you are seeing is NDR's for invalid users.

              This is done on the SMTP Virtual Server and on the Message Delivery properties under Global Settings.

              Jim McBee
              And after you do so, don't forget to configure Tar Pitting (see my site for a link), otherwise you'll be a targer for directory hrvesting attacks.
              Cheers,

              Daniel Petri
              Microsoft Most Valuable Professional - Active Directory Directory Services
              MCSA/E, MCTS, MCITP, MCT

              Comment


              • #8
                Re: Internal Spam

                Hi,

                Thanks for all your reply.

                What is the best free sniffer for this to use?
                AusNetIT Solutions

                Web Design | Web Hosting | SEO | IT Support

                Comment


                • #9
                  Re: Internal Spam

                  Google will help. I use Ethereal, others exist too.
                  Cheers,

                  Daniel Petri
                  Microsoft Most Valuable Professional - Active Directory Directory Services
                  MCSA/E, MCTS, MCITP, MCT

                  Comment

                  Working...
                  X