Announcement

Collapse
No announcement yet.

Exchange server is being spammed :s

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange server is being spammed :s

    Hi,

    I'm in a bit of an issue at the minute. I have a SBS2003 standard server installed, been purring away nicely for the last 2 years.

    Noticed a lot of disk activity recently and had a look around. Checked in puremessage and it said it had scanned 56000 messages just today!!! Our server normally scans around 500 messages a day at max.

    I had a look in SMTP sessions and noticed an ip that kept trying to connect. google it (82.128.7.251) and some of the results makes it look like a spam ip.

    I next had a look in the exchange queue and noticed 1520 messages waiting, all look like spam. I've paused this queue and paused all smtp sessions.

    It looks like this server wasnt secure enough and our ip may have been blacklisted in some places already.

    Any idea's where to start cleaning up this mess?

    many thanks

  • #2
    Re: Exchange server is being spammed :s

    Sorry, are you being targetted with spams or are you sending (or relaying) them?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Exchange server is being spammed :s

      sorry for not being clear, english was never my strongest subject!!

      The server is being used to send out spam emails, i've just been looking around and i think its a NDR attack. Would you recommend i following this link?

      http://www.amset.info/exchange/spam-cleanup.asp

      thanks for your help

      Comment


      • #4
        Re: Exchange server is being spammed :s

        Looks a good starting point
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Exchange server is being spammed :s

          Hey,

          I've checked the server wasn't an open relay. It isn't and the settings for the server is already set up to stop NDR attacks.

          Currently I've had to block all SMTP in the router. As soon as i enable it, that ip starts connecting a session, it had 4 going at one point. The queue starts too fill up again.

          About 99% of the emails that are in the queue are [email protected]. My router doesnt have the facility to block all communications from that ip address.

          any pointers would be a great help, thanks.

          Comment


          • #6
            Re: Exchange server is being spammed :s

            just an update to the previous reply. I have in fact blocked that ip address at the router level, but things still are not good.

            I've paused the SMTP virtual server, yet the queue keeps getting longer. Is it possible this is being caused by a nasty installed on the server?

            Comment


            • #7
              Re: Exchange server is being spammed :s

              If it is [email protected] then it is NDR spam.

              The queues will appear to continue to grow because Exchange is still processing them. A spammer will dump a lot of messages on to a server because they can and then Exchange has to process them in to the queues. It makes a mess and takes some time to clean up. I would suggest leaving the port closed until you have finished cleaning it up.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Exchange server is being spammed :s

                Originally posted by Sembee View Post
                If it is [email protected] then it is NDR spam.

                The queues will appear to continue to grow because Exchange is still processing them. A spammer will dump a lot of messages on to a server because they can and then Exchange has to process them in to the queues. It makes a mess and takes some time to clean up. I would suggest leaving the port closed until you have finished cleaning it up.

                Simon.
                Hi Simon,

                Thanks for the reply,

                The port is blocked, but when i go into ESM, admin groups, servers, <servername>, Queues, the queues are getting longer. Is this exchange trying to resend things, hence the queue getting longer. Or is it something else creating them?

                many thanks

                Comment


                • #9
                  Re: Exchange server is being spammed :s

                  This blog posting of mine explains what has probably happened.
                  http://blog.sembee.co.uk/post/One-mo...isted-etc.aspx

                  Unlikely to be something inside. It is simply Exchange processing the messages.

                  Simon.
                  --
                  Simon Butler
                  Exchange MVP

                  Blog: http://blog.sembee.co.uk/
                  More Exchange Content: http://exchange.sembee.info/
                  Exchange Resources List: http://exbpa.com/
                  In the UK? Hire me: http://www.sembee.co.uk/

                  Sembee is a registered trademark, used here with permission.

                  Comment


                  • #10
                    Re: Exchange server is being spammed :s



                    any idea on how to delete the each queue quickly or will be it a case of going into each one to delete the messages? there are over a 1000

                    many thanks

                    Comment


                    • #11
                      Re: Exchange server is being spammed :s

                      The article that was provided above on my web site at amset.info provides a technique to remove the content.

                      Simon.
                      --
                      Simon Butler
                      Exchange MVP

                      Blog: http://blog.sembee.co.uk/
                      More Exchange Content: http://exchange.sembee.info/
                      Exchange Resources List: http://exbpa.com/
                      In the UK? Hire me: http://www.sembee.co.uk/

                      Sembee is a registered trademark, used here with permission.

                      Comment

                      Working...
                      X