Announcement

Collapse
No announcement yet.

Spam From Internal Email Addresses

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spam From Internal Email Addresses

    We have starte receiving some emails spam emails from valid email address within our exchange environment which are obviously SPAM, this has never happened before and I've received reports from 3 users already. Does anyone know what may have happened? We use Exchange 2000 Server and Microsoft Outlok as the email client. Our exchange Server is also a domain controller.

  • #2
    Re: Spam From Internal Email Addresses

    I am receiving similar reports on one on my servers and have been blacklisted by spamcop.net as a result.

    Relaying authentication is set to only computers that authenticate to the server and I have now implemented stronger password policies.

    I have also done scans available at http://www.grc.com which my server passes, run Microsoft exchange best practices, and microsoft base security analyser but can't pin point the culprit. Email in the queues often shows the spam is coming from [email protected]

    Any ideas??. I will continue to work on this and update this post.

    Thanks,

    LG

    Comment


    • #3
      Re: Spam From Internal Email Addresses

      I'm more than slightly worried that our exchange server has been compromised in some way and I haven't done checks as much as you've done but one thing I know is that Relaying authentication is set to only computers that authenticate to the server. I did go to the website link posted by LG and I can't figure out which utility I'm supposed to use to perform the scan.

      Comment


      • #4
        Re: Spam From Internal Email Addresses

        It may not be your exchange server that is causing the problem.

        Have you virus scanned your clients to ensure that none of these are sending mails??

        Comment


        • #5
          Re: Spam From Internal Email Addresses

          I haven't done this and I promise that that will be my next move, also, I've notices that some of the FROM: email addresses have the first part spoofed i.e. [email protected], the 'something' is a name that doesn't exist in our organisation but the email is received anyway. And in other cases like previously explained, it is a valid name.

          Comment


          • #6
            Re: Spam From Internal Email Addresses

            Originally posted by pdania
            I haven't done this and I promise that that will be my next move, also, I've notices that some of the FROM: email addresses have the first part spoofed i.e. [email protected], the 'something' is a name that doesn't exist in our organisation but the email is received anyway. And in other cases like previously explained, it is a valid name.

            You would probably be best stopping all traffic to port 25 on your firewall until you can resolve this.

            I would definately start a virus scan before you do anything else to your mail server. Also run a scan on it. Please don't do it on the M:\ though.

            Comment


            • #7
              Re: Spam From Internal Email Addresses

              Hi pdania,

              The utilities you should try are sheilds up and the spam me utility found at https://www.grc.com/x/ne.dll?rh1dkyd2

              This should let you know if spam is getting through to your server.

              Thanks,

              Liam

              Comment


              • #8
                Re: Spam From Internal Email Addresses

                This has gone up a notch now and I hope we can do something before it becomes drastic, our sister organisation is no longer accepting emails from us but they can send to us, but even if we do a reply to their email, we ger NDRs fro Messagelabs saying the message could not be delivered. Please someone help!!!!!!!

                Comment


                • #9
                  Re: Spam From Internal Email Addresses

                  Originally posted by pdania
                  This has gone up a notch now and I hope we can do something before it becomes drastic, our sister organisation is no longer accepting emails from us but they can send to us, but even if we do a reply to their email, we ger NDRs fro Messagelabs saying the message could not be delivered. Please someone help!!!!!!!
                  Have you disconnected your exchange box from the internet???

                  This may help to stem the flood of spam.

                  Have you virus scanned the clients yet??

                  What diagnostics have you done since the last time you posted??

                  Comment


                  • #10
                    Re: Spam From Internal Email Addresses

                    Hello,
                    Use Message tracking center from System manager combined with SMTP virtual server logging to identify the sending host.
                    I don't think that your Exchange server is infacted.
                    It is just accept emails sent to your smtp domain by an infacted source.
                    Find out the ip of the sender and isolate it ASP.
                    Last edited by netxt; 26th May 2006, 09:43.
                    Regards,
                    Csaba Papp
                    MCSA+messaging, MCSE, CCNA
                    ...............................
                    Remember to give credit where credit is due and leave reputation points where appropriate
                    .................................

                    Comment


                    • #11
                      Re: Spam From Internal Email Addresses

                      Thaanks guys!! Sorry about the late update I'm still trying to work out why certain messagelabs customers are blocking our emails, anyway, the short story is that I'found that our exchange server was an open relay and closed it this was at about 2200 last night, but we'd already started getting this:

                      SMTP error from remote mailer after end of data:
                      host cluster2.eu.messagelabs.com [193.109.255.147]:
                      553-Message filtered. Please see the FAQs section on spam
                      553-at http://www.messagelabs.com/support/ for more
                      553 information. (#5.7.1)

                      from all messagelabs customers, at present I'm trying to resolve this issue because some of these domains we can't send emails to are people who our users need to work with. Thankfully, this morning, after I'd closed the relay last night, none of our users received any SPAM in their exchange mailboxes apart from some mailboxes that are advertised on our public website.

                      At the moment, messagelabs have asked me to speak to their client who are our sister organisation, I've done this and they're chasing. I hope the lack of SPAM has something to do with the Relay being closed. I did a scan using Sophos AV on our EX Srv and there was nothing.

                      Comment


                      • #12
                        Re: Spam From Internal Email Addresses

                        "You would probably be best stopping all traffic to port 25 on your firewall until you can resolve this.

                        I would definately start a virus scan before you do anything else to your mail server. Also run a scan on it. Please don't do it on the M:\ though."

                        I found out that our exchange server was doing "bad relaying" I could send from my hotmail account to my wanadoo account using telnet. this setting is under the connector properties under address space. This box should never be ticked according to microsoft so I unticked it since then, I've checked with users and the usual suspects have not received any SPAM today. The problem we are still having is that we cannot send to domains that use messagelabs as their email filter, even this is a bit intermittent, for example when I send an email to my wife whose company uses messagelabs, I get an NDR, but if I do a reply to her email she recieves it.

                        The setting under the address space tab under the properties of the SMTP Connector in Exchange 2000 server which says "Allow messages to be relayed to these domains" is this box ticked by default? It will be interesting to know.

                        Comment

                        Working...
                        X