Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Exchange 2003, user spamming

  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003, user spamming

    I need serious help, thank you
    I have a user on my exchange who is spamming one particular email to a GAL at the rate of 100 emails per hour. I have deleted the user and her mailbox form the AD thus the exchange, but the user apparently is still spamming. The users mailbox though still shows in the exchange manager. I tried purging the user but there is no option to purge mailbox. I have stopped the exchange agent but still cannot purge the mailbox.
    Is the computer involved the one spamming or its from the exchange?

    Please someone help.

  • #2

    1. Check the user computer for virus, worm etc.
    2. Run mailbox Agent on the mail store - on low perfomance server it may take a while to the mailbox to appear delete/purge.


    Best Regards,

    Yuval Sinay

    LinkedIn:, Blog:


    • #3
      Spam source

      I had a user who was sending spam from his laptop - he got a virus from a kid's program he installed. The virus itself was sending the spam, but from the outside it looked like it was coming from our exchange server. We got blocked for 2 days.

      The first thing to do is restrict access to port 25 traffic going from inside to outside through your router. ONLY your mail server should be allowed to send port 25 traffic through the router. If SPAM is still going out, then you can suspect Exchange is sending it.

      If your user is not sending SPAM intentionally, then it might be a virus - run a thorough scan for both spyware and viruses on all workstations.

      If it isn't the workstation, and you can't delete the account, try disabling it.
      Rex Derby


      • #4
        i think that exacly what going on in my place,

        but the problem is i dont know which computer may have the virus,
        did u check each and each client ?

        norton AV tells me my server is clear...

        how did u find out which computer is infected.




        • #5
          You will need to run an AV scan on each PC till you find the culprit.


          • #6
            You need a centrally managed AV solution like Sophos Enterprise or ePolicy Orchestrator. This way you can tell which PC is upto date with AV definitions and which have detected viruses.
            Server 2000 MCP
            Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **


            • #7
              is it possible that one of my client got infected by some virus, and it send throw the excange all the spam ?
              isnt there any way that i can find which computer it is without going one by one and look who send the spam ?

              in the eventviewer all i see is an exchange service sending the mail.

              anyway i can found in exchange who gave him the order or the virus discuise himself as exchange server?


              • #8
                If it is a virus then i dont think it will be using Outlook to send the mail. it will be using port 25. In exchange manager stop exchange accepting mail from any internal host while you find out the pc with the problem.
                Server 2000 MCP
                Development: ASP, ASP.Net, PHP, VB, VB.Net, MySQL, MSSQL - Check out my blog

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **


                • #9
                  Re: Exchange 2003, user spamming

                  Here's the deal -

                  It IS possible to identify the PC sending spam if you are willing to let it keep sending while you track it down. You can get a sniffer program like Net-X-Ray and install it on your PC. Then you can let it sniff for ALL port 25 traffic on your LAN except for the IP address of your server and router. Those 2 IP addresses will naturally be passing port 25 traffic all day long. Any other PC that sends port 25 traffic is likely the culprit.

                  I didn't do this on my network. I didn't want my outgoing mail to be blocked by those using SPAMHAUS.ORG to filter spam from their servers before it is even received. I needed to get my mail back up quickly.

                  I scanned each and every PC immediately and finally found a laptop with a virus because the user installed a kid's game. He also had the virus scanner disabled. Smart guy. The virus identified was a spam-sending virus. Problem found and solved.

                  To prevent getting shut down again (if another PC ever gets infected in the future), I closed the outgoing port 25 traffic through my router for every IP address except the mail server.

                  If a virus is sending spam, you WILL NOT see it in the event log, the exchange server, or even in the Sent Mail folder in Outlook on the offending machine. The virus most likely has it's own little SMTP engine and is sending all on it's own.

                  If you have your Exchange Server configured to accept SMTP traffic from any PC on your network, this is not necessary. Your PCs shouold be communicating with your Exchange Server using MAPI, so they don't need to send via SMTP. You should have already insured your Server is not an Open Relay to PCs that are NOT on your network. The only exception might be, for instance, if you Backup Server needs to send mail to the administrator via SMTP. You could allow your Exchange Server to accept that kind of traffic from specific IP addresses.

                  That last part boils down to - SMTP traffic only between your router and your Server, and no open-relay on the server.

                  You can try to filter viruses and spam either with Enterprise solutions like Symantec or others, or you can try to block them from getting in with a firewall like the ones available from SonicWall, but there is still the possibility that some idiot will turn off his virus scanner, install a kid's game at home, then bring his laptop in and connect it to the LAN, thus bypassing all your best efforts. The best defense is one that has many layers. The more layers, the better.
                  Rex Derby