No announcement yet.

Possible authenticated relay or spam

  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible authenticated relay or spam

    I have an SBS 2003 server with Exchange. In august we migrated the email from being hosted externally and popping from the Exchange server to hosting email internally. (small office, 8 users)

    A couple weeks ago users reported occasionaly NDR issues (relay access denied) but if they immediately resent the message it went thru. Looking at the transactions on ESM I noticed a very high volume of incoming spam messages to one user. Also noticed a very high volume of outgoing "[email protected]" emails going out of the administrator mailbox.

    Also, my backup server found a virus in the "badmail" folder of the exchange server (oddly enough, trend did not find the virus when scanning from exchange server, only when the backup server scans the folder as a mapped drive). The virus is the "UPS Invoice". (this is cleared up after filters applied for Reverse DNS attacks).

    I checked, double and triple checked to make sure the exchange server was not setup as an open relay. It is not.

    I setup filters so that we aren't getting Reverse NDR attack.

    I setup logging to check for an authenticated Relay attack.

    Filtering for reverse NDR elimiated the "[email protected]" emails, which reduced my outbound volume.

    I still have this one user who is receiving an extrodinary high volumn of incoming spam email. But this is where it gets weird. Of the 700+ emails delivered thru the exchange server (everyone shows as delivered to the local store in the MTC, of those, only about 30 actually show up in the inbox of the user. I checked her junk mail folders, deleted folders, etc and I cannot find those messages. I do not know where they are going.

    I also ran virus/spyware/malware scans on her computer yesterday, found some items that have all been cleared and repeated scans are showing clean.

    I am at a loss on this high volume of incoming emails that show being delivered to the local inbox but are not showing in the inbox and how to stop the spam.

    Any input would greatly be appreciated.

  • #2
    Re: Possible authenticated relay or spam

    Update. User has been out of the office all day. I tapped into her account and every email that was logged in the transaction logs is currently sitting in her inbox. She either has a rule or is manually permanently deleteing emails and has been lying to me and her supervisor about it.

    For the record - user was asked to leave her computer powered on the other night so I could run virus scans on the system after hours. She powered it off. Next mornign her supervisor asked her to leave it on during the day while she was out of the office so that I could perform the scans while she was offsite - instead, she took the laptop with her. We suspected the user was hiding something.

    Resolution - I am deleting the users email account and recreating a new one. (I could just create a new alias and delete the old primary, but given the junk in the inbox, I'm forcing a cleanup by deleting the entire mailbox)