Announcement

Collapse
No announcement yet.

SPAM Troubleshooting

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SPAM Troubleshooting

    I am at a loss - maybe this group has something that will help.

    Exchange 2003 SP2 on SBS 2003 server. Running latest GFI MailEssentials.

    Since reconfiguring the GFI, the cleint seems pretty happy with the SPAM control.

    However, I have been getting a HUGE build-up of SMTP SmallBusiness Connectors. (This morning, there were 4650 of them!)

    Yes, there are a huge number of emails in the ...vs1\queues folder, and almost all of them were SPAM. I found a keyword and searched the folder, and deleted them (after stopping the SMTP service) and when I restarted the SMTP service afterward, the number of connectors was down to about 15 or 20.

    I am asking the group: how do I troubleshoot this? Where are the emails coming from, and why am I trying to SEND them out? I assume that the vs1\queue folder holds outgoing mail waiting to be sent, is that right? And the SMTP COnnectors are just connections made recently to servers I am sending to - they either disappear on their own after a period of non-use, or stay there if there are messages waiting to use them in the queue.

    Do I understand that correctly?

    Don't even suggest an examination of the header information: there is no real indication of where the messages are really coming from. The headers must have been doctored to make them untraceable, a common SPAMmer's practice.

    I've been fighting this problem, for this client only, for months and every time I thnk it's cleared up, another blast hits them, gumming up their server, causing delays in delivery of real messages, and generally undermining my credibility with the client.

    Can any one suggest what they'd do? I can't figure out how to use Wireshark to trace unusual amounts of Outlook/Exchagne traffic within the LAN, otherwise it would be a simple matter to trace which workstation it's coming from.

    I have double-checked the Exchange settings, and am convinced it's not allowing relaying.

    If anyone knows of any decent documentation on how to get to the bottom of this, or any suggestions on any of it, I'd appreciate your input. There's lot sof information out there on Exchange, but I can't find anything that helps with this. What am I missing?

    Thanks!

  • #2
    Re: SPAM Troubleshooting

    Either you are an open relay or authenticated relay. Have a look at the articles below from Simon Butler. They should help determine the root cause of your issue and the methods you need to use to troubleshoot.

    http://www.amset.info/exchange/smtp-openrelay.asp

    http://www.amset.info/exchange/smtp-relaysecure.asp

    Comment


    • #3
      Re: SPAM Troubleshooting

      Sorry I didn't reply sooner - thanks for your reply.

      I will take a look at these.


      (Forum Moderator - I didn't rececvie the email notification when this posting recevied a reply.)

      Comment


      • #4
        Re: SPAM Troubleshooting

        there's also the possibility of an internal problem - namely, one of your computers could be infected with something, so if scurlarunting's suggestions don't help, consider that...
        Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

        Comment


        • #5
          Re: SPAM Troubleshooting

          Originally posted by rpelletier View Post

          (Forum Moderator - I didn't rececvie the email notification when this posting recevied a reply.)
          Notifications were broken for a few weeks of September. That has now been fixed.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: SPAM Troubleshooting

            I have the exact same problem with a SBS2003/Exchange2003 server. Seems that someone/something is happely using the server to send out SPAM. This results in being blacklisted.

            The server is not an open relay (tested that several times) and I have just tightend the authenticated relay (we have mobile users so can not totally disable that). I also disabled sending out NDR's.

            It would be nice if we were able to trace such SPAM message back to its origin. But neither exchange nor windows if giving that information I guess.

            If anyone has suggestions on how tracing could be possible please don't hesitate to add to this post.

            Comment


            • #7
              Re: SPAM Troubleshooting

              These days, there is very little reason to have authenticated relaying turned on.
              For mobile users, deploy them with devices that support ActiveSync, or for laptops using RPC over HTTPS. No reason to use SMTP at all.

              As for tracing, what would be the point? A spammer doesn't use a system that can be traced back to them. All it will do is point you at the innocent party who has got some nasty on their machine, which they probably don't even know about.

              Disabling NDRs - that is not something I would recommend, and it simply deals with the symptoms, rather than the cause.

              It doesn't have to be an open relay, it could also be NDR spam. Recipient Filtering blocks those.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment

              Working...
              X