Announcement

Collapse
No announcement yet.

Are we spamming? How do I check?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Are we spamming? How do I check?

    Hi all,

    We have an exchange 2003 server (server 2003, exchange version 6.5.7638.1) and has been giving a lot of issues. Let me start from what I imagine is the beginning.

    I noticed about a month back that searching for emails in the message tracking centre takes a ridiculuosly long time. Example, it can take half an hour, even if you provide it with the id of the message in question. Then a further half hour to get into the details of that message.

    Shortly after that, our messages started being bounced back from some domains as containing "Abusive content".. After a lot of faffing about, I turned off the disclaimer that gets added to our outgoing emails at firewall level and they started going out again.

    A day or so later, our ISP (who I had been talking to in the beginning when the blocking started) contacted me to say that spam emails had been issuing from our domain. Sure enough, our queue showed 1300 emails which couldn't go out. I don't know if this has been going on long term and they just started queuing up because of a change I made, or if a change I made opened us up to be abused like that. I removed any possibility of being used as a relay and deleted all the messages in question. The queuing of messages stopped, this was just in time for the weekend. I contacted our ISP again on Tuesday and Wednesday to check if we were still issuing spam, they have yet to issue a response.

    At the beginning of this week, however, users started receiving delayed delivery notifications for 10 or so domains. I am currently pushing them out over our ISP's smtp server to work around the issue, but it's not solved. Also, I cleared down our application log yesterday, but today it is filled with almost 50000 of the attached messages.

    Any idea where I could be missing something huge here? Apologies for the lack of detail, I don't know exchange very well, but if you tell me what you would like to see, I'll do my best to get it for you.


  • #2
    Re: Are we spamming? How do I check?

    Perhaps this article can be of some assistance.

    http://blog.sembee.co.uk/post/One-mo...isted-etc.aspx

    Also, check to see if you're blacklisted

    http://www.mxtoolbox.com/blacklists.aspx

    I hope those links help.

    Best of luck!

    Comment


    • #3
      Re: Are we spamming? How do I check?

      Also

      http://www.amset.info/exchange/spam-cleanup.asp

      All credit for the 2 articles goes to Simon Butler...his contributions to the world of MS Exchange should not go un-noticed

      Comment


      • #4
        Re: Are we spamming? How do I check?

        Originally posted by DKNUCKLES View Post
        Also

        http://www.amset.info/exchange/spam-cleanup.asp

        All credit for the 2 articles goes to Simon Butler...his contributions to the world of MS Exchange should not go un-noticed
        Thanks for the help - this link is the very one I followed to clear the issue in the first place. It looked to be successful, but those errors are still coming through in the application log. The second link, I will take a look at.

        MXtoolbox shows our IP to be clean. Reverse lookup goes back to ourselves, too. I did try adding an SPF record yesterday but it doesn't appear to be showing up yet.

        Comment


        • #5
          Re: Are we spamming? How do I check?

          Originally posted by DKNUCKLES View Post
          Also

          http://www.amset.info/exchange/spam-cleanup.asp

          All credit for the 2 articles goes to Simon Butler...his contributions to the world of MS Exchange should not go un-noticed
          LOL don't worry, they don't go un-noticed... he's one of the staff members here
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Are we spamming? How do I check?

            Your ISP said that spam was coming from your domain or your IP address? It might be worth checking firewall logs for outbound SMTP transmissions. Personally, I would block all outbound SMTP transmissions except ones coming from your email server, just to be safe.

            Check your client PCs for malware as well as the Exchange server itself. Sounds like one of your PCs is compromised and using the Exchange server as it's own personal spam catapult.
            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: Are we spamming? How do I check?

              Unlikely to be a workstation using Exchange to send email. I have outlined why in one of the links above.

              If you have recently cleaned up the server, then there is a chance there is still some bad email going through the system or being logged. A major infestation can take a considerable time to clear.

              Do you route email out through your ISP as smart host on an SMTP connector, or direct?
              If smart host, then the issue is hard to spot because is throwing the email straight out.
              Did you actually find how the server was being abused? Open relay, authenticated relay or NDR spam?

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Are we spamming? How do I check?

                Originally posted by Wired View Post
                LOL don't worry, they don't go un-noticed... he's one of the staff members here
                Staff? Does that mean I get paid then?

                Or is this like the old saying - Dogs have owners, cats have staff?

                S
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Are we spamming? How do I check?

                  Originally posted by Sembee View Post
                  Unlikely to be a workstation using Exchange to send email. I have outlined why in one of the links above.

                  If you have recently cleaned up the server, then there is a chance there is still some bad email going through the system or being logged. A major infestation can take a considerable time to clear.

                  Do you route email out through your ISP as smart host on an SMTP connector, or direct?
                  If smart host, then the issue is hard to spot because is throwing the email straight out.
                  Did you actually find how the server was being abused? Open relay, authenticated relay or NDR spam?

                  Simon.
                  We mainly push the email out directly. I have an SMTP connection using the ISP as host in place for 'problematic' domains. The ones who are delaying now appear to send if I push them through the problem domain route.

                  When I was following your guide (thanks, by the way), I did make some changes - I thought that we'd had relaying blocked down to all but authenticated users (we wanted it this way due to smartphones and travelling staff), but the application logs showed emails originating outside our domain. I've now shut off relaying altogether (I think!! - well, I can't get it to work on the phones, so that's a good sign!!).

                  Sorry if my answers appear vague, it's because I find the whole thing very confusing

                  I had also ruled out a local machine being infested. There are only two machines on our domain which have smtp ports open on the firewall and both are clean (we do all go out over the one IP, so that would have been a realistic answer to the issue), plus your link posted earlier seemed to indicate that it was very unlikely they were doing it through the server.

                  It is only last week I cleaned it down, so maybe it's a throwback from that. Here's hoping, because I'm out of ideas

                  Comment


                  • #10
                    Re: Are we spamming? How do I check?

                    Originally posted by Nonapeptide View Post
                    Your ISP said that spam was coming from your domain or your IP address? It might be worth checking firewall logs for outbound SMTP transmissions. Personally, I would block all outbound SMTP transmissions except ones coming from your email server, just to be safe.

                    Check your client PCs for malware as well as the Exchange server itself. Sounds like one of your PCs is compromised and using the Exchange server as it's own personal spam catapult.
                    ISP said it was coming from our IP address. They sent me the following:

                    20100701 14:23:15.334 messages id=cdNs1e00811Ed6W01dNvq0 action=REJECT wf=smtp:6:4 smtp=DATA:552 ip=XX.XX.XX.XX from="[email protected]" to="[email protected]" size=1705 filters="RBL ZEN: 0.00, pb4s[NOMATCH], cmae_smtp_6[100], cmae_smtp_6[100]"

                    I will make the change you suggested and block SMTP traffic at firewall level - it's already blocked for all bar 2, though, and those machines are clean.

                    Comment


                    • #11
                      Re: Are we spamming? How do I check?

                      it's already blocked for all bar 2, though, and those machines are clean.
                      Hello Quackles and everyone else.
                      I would humbly suggest that you review your SMTP server log on the exchange server. It will give you an idea about is it the machine spreading spam or not.
                      Regarding the two machine exceptions and SMTP relay:
                      It is generally wise to permit only the exchange server out on port 25. Make the other two go through the exchange as relay. BLOCK all SMTP relay on the SMTP virtual server by selecting "only the list below" and deselecting the "Allow all computers which successfully authenticate to relay, regardless of the list above" tick box. Add your two computer exceptions to the list.
                      Most of all, be suspicious of "all access" computers, like those that are opened in the FW by "allow all to any" rule. Go to your firewall logs and filter by SMTP protocol, exclude the exchange from the list and check who else is sending SMTP traffic.
                      Last but not least - make sure that beside your last "drop" rule in the FW, all other rules are LOGGED. You can't find any data in the FW logs if it's not writing them, can you?
                      Attached Files
                      Last edited by venom83; 9th July 2010, 14:01.
                      Regards,
                      Leonid

                      MCSE 2003, MCITP EA, VCP4.

                      Comment


                      • #12
                        Re: Are we spamming? How do I check?

                        Ah, and best of luck - I've been there and it's not a good feeling.
                        Hope you'll find your solution quickly.
                        Last edited by venom83; 9th July 2010, 16:04.
                        Regards,
                        Leonid

                        MCSE 2003, MCITP EA, VCP4.

                        Comment


                        • #13
                          Re: Are we spamming? How do I check?

                          Originally posted by Sembee View Post
                          Does that mean I get paid then?
                          We get paid in have one on me
                          Andrew

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          Comment


                          • #14
                            Re: Are we spamming? How do I check?

                            Originally posted by venom83 View Post
                            Hello Quackles and everyone else.
                            I would humbly suggest that you review your SMTP server log on the exchange server. It will give you an idea about is it the machine spreading spam or not.
                            Regarding the two machine exceptions and SMTP relay:
                            It is generally wise to permit only the exchange server out on port 25. Make the other two go through the exchange as relay. BLOCK all SMTP relay on the SMTP virtual server by selecting "only the list below" and deselecting the "Allow all computers which successfully authenticate to relay, regardless of the list above" tick box. Add your two computer exceptions to the list.
                            Most of all, be suspicious of "all access" computers, like those that are opened in the FW by "allow all to any" rule. Go to your firewall logs and filter by SMTP protocol, exclude the exchange from the list and check who else is sending SMTP traffic.
                            Last but not least - make sure that beside your last "drop" rule in the FW, all other rules are LOGGED. You can't find any data in the FW logs if it's not writing them, can you?
                            Ok, I double checked the settings as shown in your screenshot, they equal mine. I turned on SMTP logging and I am seeing some entries like these:

                            2010-07-09 15:15:02 82.44.155.111 virginmedia.com SMTPSVC1 EMAILSRV 192.168.1.247 0 EHLO - +virginmedia.com 250 0 312 20 0 SMTP - - - -
                            2010-07-09 15:15:02 82.44.155.111 virginmedia.com SMTPSVC1 EMAILSRV 192.168.1.247 0 MAIL - +FROM:<[email protected]> 250 0 53 50 0 SMTP - - - -
                            2010-07-09 15:15:02 82.44.155.111 virginmedia.com SMTPSVC1 EMAILSRV 192.168.1.247 0 QUIT - virginmedia.com 240 281 53 50 78 SMTP - - - -
                            2010-07-09 15:15:44 124.11.137.105 tfn.net.tw SMTPSVC1 EMAILSRV 192.168.1.247 0 EHLO - +tfn.net.tw 250 0 313 15 0 SMTP - - - -
                            2010-07-09 15:15:44 124.11.137.105 tfn.net.tw SMTPSVC1 EMAILSRV 192.168.1.247 0 MAIL - +FROM:<[email protected]> 250 0 48 45 0 SMTP - - - -
                            2010-07-09 15:15:44 124.11.137.105 tfn.net.tw SMTPSVC1 EMAILSRV 192.168.1.247 0 QUIT - tfn.net.tw 240 1250 48 45 359 SMTP - - - -

                            I don't like the looks of the email addresses in question. Can I tell where the problem originates from this?

                            As for logging on the firewall... I'm afraid it wouldn't be great...

                            Comment


                            • #15
                              Re: Are we spamming? How do I check?

                              Look, you really should first confirm that you approach this from the right angle and analyze the FW logs first to confirm that the spam is actually coming from the Exchange server. If you can't for technical abilities of the FW (or lack of them), let's focus on what we do know:
                              You are certain that there is no relay possible on the exchange server; it means that the spam originates from one of the mailboxes, being sent via MAPI. In this case the spam must (I think) come from one of your legitimate mailboxes; so you can look in the mail flow and try to locate the malicious sender.
                              I am not a specialist on this matter, however I've never seen spam agent using a MAPI; most often, it's an SMTP engine. It's either an Exchange relay or a computer able to connect outside via direct SMTP connection. Give your FW log a try or maybe even your router. What kind of equipment do you have over there?

                              Regards,
                              Leonid
                              Regards,
                              Leonid

                              MCSE 2003, MCITP EA, VCP4.

                              Comment

                              Working...
                              X