Announcement

Collapse
No announcement yet.

[email protected] send spam mail

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [email protected] send spam mail

    Hello People

    My Exchange 2003 sp2 [email protected] is sending spam mail,creating troubles by join me to blacblists,etc.

    We have Nod32AV,Brightmail 6.3,Fortinet FW - all didn't get this spam file.TARPIT e didn't help at all - the spam file is.seems to me,in the Exchange Itself.

    It seems to me that first priority will be in blocking that "postmaster" from sending any outbound maill to any external mail address and sites.

    Can someone help me in advice?

    thks in advancw

  • #2
    Re: [email protected] send spam mail

    You will need to find out why "postmaster" is sending spam.
    Is your server infected?
    Is anything else on the network infected?
    Are you an open relay?
    Is the mail really coming from you, or is it from elsewhere but spoofing your address?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: [email protected] send spam mail

      Thanks, Ossian, for quck answer:

      1. I have check the Exchange Server - and all other DC'S and workstations - with all the tools I have: NOD32 deepscanning,Malwarbytes,etc - these found very few trojans who were deletd . Mabe the Server is stil infected,but I have no other tools to discover.

      2.I am not open relay - I have made several tests to check it - not mail relay at all

      3. I think the mail is coming from me - open the ESM\TOOLS\MESSAGE TRACKING show that mail is coming from the Server. Maybe someone spoofig me - but the Server is beyond firewall,no https or othe way of external access .What tol shall I use to discover if it by spoofing or from within?

      I think that the main effort should be now to prevent '[email protected]' from sending any outbound mail ,whether it is being sending 'right' from the Server or by spoofing

      thks

      Comment


      • #4
        Re: [email protected] send spam mail

        [email protected] is usually caused by not having recipient filtering turned on.
        This means that your Exchange server is sending back NDRs when email is sent to non-valid recipients. Quite common.

        If the messages are coming from your server you can usually tell, because there will be lots of messages in the queues, because spammers lists are not very clean. If you are using a smart host then the messages will be queuing there.

        Start by enabling recipient validation to begin with.
        http://www.amset.info/exchange/filter-unknown.asp
        Tarpit on its own doesn't stop this, unless you have also enabled recipient validation.

        If the server is being abused in this way then the messages will not show in messages tracking because the messages are not passing through Exchange itself.

        Simon.
        --
        Simon Butler
        Exchange MVP

        Blog: http://blog.sembee.co.uk/
        More Exchange Content: http://exchange.sembee.info/
        Exchange Resources List: http://exbpa.com/
        In the UK? Hire me: http://www.sembee.co.uk/

        Sembee is a registered trademark, used here with permission.

        Comment


        • #5
          Re: [email protected] send spam mail

          Thanks Sembee for your reply

          I did already turned on the 'FILTER NON-EXSISTENT USERS' ,altogether with 5 seconds tarpit.

          It didn't 'supressed' that spammer - as the [email protected] send from time to time spam mail to external addresses,from within the Server, I believe that filtering non-existent users,tarpit etc will not help in such a case.

          Is there any configuration,a tool or procedure that will prevent [email protected] to send outbount mail - whethe it will be NDR mail or not?

          Comment


          • #6
            Re: [email protected] send spam mail

            [email protected] are system delivery messages, and blocking them is not a good idea and doesn't actually deal with the problem, just the symptoms.

            Recipient filtering only works if you are using SMTP for delivery, not the POP3 connector.
            It also only works if Exchange is the primary entry point for email. If you have something in front of Exchange, such as an appliance, or a service like Postini then it is not effective.

            You need to verify whether the email is actually coming from your server. If your server is being abused, as I have already said, there will be email messages stuck in the queues.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: [email protected] send spam mail

              Sembee thks again for kind help

              The problem had not been solved - and now there are several "new" troubles - 8213,8231 event id's etc.

              Maybe the problem is related to hardware misfunctions ; if I will not succeed to solve those events errors,I migrate asap to Exchange 2010 (new hardware)

              Comment


              • #8
                Re: [email protected] send spam mail

                Hardware problems would not cause [email protected] email messages.
                And posting event IDs on their own is a waste of time. Most event IDs have numerous meanings.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment

                Working...
                X