Announcement

Collapse
No announcement yet.

Possible spam in Exchange queue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Possible spam in Exchange queue

    My customer runs SBS 2003 and has an Exchange server set up. They did something stupid several weeks back and started sending out 100's of unsolicitated e-mails from their Act database - they had 2000 e-mail addresses.

    I would get SMTP events and backed up mail queue warnings e-mailed to me. Many of the e-mails sent out were returned. The ISP had detection software and thought they were infected. The server was being probed by blackist servers to see if it was an open relay.

    I thought I had everything inder control by telling the customer YOU CAN'T DO THIS. Now I notice the queue fills up with retries from postmaster @mydomain.com sending to organizations like 1-800-eatshit.com and a variety of other fictitious domains.

    Only the local IP address of the server is allowed to relay. Even authenticated users are not allowed to relay. I have sender filtering and recipient filtering enabled for [email protected].

    I scan the sever and the badmail folder had virus which I deleted after the scan. Any ideas what is happening here? Is this a result of a spammer trying to use the SMTP server as a gateway?

    TIA
    Network Engineers do IT under the desk

  • #2
    Re: Possible spam in Exchange queue

    First, check and see if your customer is on a block list. There is a good tool to do this at http://www.dnsstuff.com

    Second, have you looked at their outbound queues much prior to this. It is possible that you just have a lot of garbage backed up as a result of spam NDR's. Spammers sometimes use "dictionary" spamming; they go through a dictionary of common names and send to every name @yourdomain.com. Very evil of them.

    What ends up happening is that your outbound queues end up with a lot of garbage. You could enable recipient filtering, though, and this might help to stop all the outbound junk because the Exchange server will reject anything that is not addressed explicitly to a user in Active Directory. If you do this, it is on the Message Delivery properties under Global Settings and also on the settings for the IP addresses on the SMTP Virtual Server.

    Jim McBee
    Blog - http://mostlyexchange.blogspot.com

    Comment


    • #3
      Re: Possible spam in Exchange queue

      Hi Jim, did all this. They are not on a blocked list and I enabled recipient and sender filtering in Global. I turne on full logging for SMTP and the errors in the Application viewer are from outside IP addresses failing an authentication or a recipient not found.

      The queue sems to indicate failures on retried to non-existant recipients or domains. The sender is always the postmaster at my customers domain so this is the e-mail address I set the filtering up on.

      The queue says "unable to bind to the destination server in DNS" for the bogus e-mails trying to go out.

      I tried to recreate the problem by setting up my Outlook Express using my customers outgoing mail server. It won't replicate the problem unless I authenticate to the outgoing mail server. If I do this, then I get a similar error on my customers server except that the relay fails.

      Thanks
      Network Engineers do IT under the desk

      Comment


      • #4
        Re: Possible spam in Exchange queue

        Is it possible that they set themselves up for this? People are trying to relay through them, and of course the relay fails but it still makes it to the queue?

        Could this e-mail be generated from an infected computer on the network? I checked the Exchange logs though and it it is outside IP addresses contacting the mail server. Pardon the length of the example below, but look what I am up against. The SMTP logs are huge! Look at all the IP address involved and this is this is the weekend:

        21:49:50 204.13.249.92 EHLO - 250
        21:49:50 204.13.249.92 MAIL - 250
        21:49:50 204.13.249.92 RCPT - 250
        21:49:50 204.13.249.92 DATA - 250
        21:49:50 204.13.249.92 QUIT - 240
        21:49:53 204.13.249.92 EHLO - 250
        21:49:53 204.13.249.92 MAIL - 250
        21:49:53 204.13.249.92 RCPT - 250
        21:49:53 204.13.249.92 DATA - 250
        21:49:53 204.13.249.92 QUIT - 240
        21:49:56 204.13.249.92 EHLO - 250
        21:49:56 204.13.249.92 MAIL - 250
        21:49:56 204.13.249.92 RCPT - 250
        21:49:56 204.13.249.92 DATA - 250
        21:49:56 204.13.249.92 QUIT - 240
        21:49:58 204.13.249.92 EHLO - 250
        21:49:58 204.13.249.92 MAIL - 250
        21:49:58 204.13.249.92 RCPT - 250
        21:49:58 204.13.249.92 DATA - 250
        21:49:58 204.13.249.92 QUIT - 240
        21:49:58 204.13.249.92 HELO - 250
        21:49:58 204.13.249.92 MAIL - 250
        21:49:58 204.13.249.92 RCPT - 250
        21:49:58 204.13.249.92 QUIT - 240
        21:50:01 204.13.249.92 EHLO - 250
        21:50:01 204.13.249.92 MAIL - 250
        21:50:01 204.13.249.92 RCPT - 250
        21:50:01 204.13.249.92 DATA - 250
        21:50:01 204.13.249.92 QUIT - 240
        21:50:03 204.13.249.92 EHLO - 250
        21:50:03 204.13.249.92 MAIL - 250
        21:50:03 204.13.249.92 RCPT - 250
        21:50:03 204.13.249.92 DATA - 250
        21:50:03 204.13.249.92 QUIT - 240
        21:50:05 204.13.249.92 EHLO - 250
        21:50:05 204.13.249.92 MAIL - 250
        21:50:05 204.13.249.92 RCPT - 250
        21:50:05 204.13.249.92 DATA - 250
        21:50:05 204.13.249.92 QUIT - 240
        21:50:05 204.13.249.92 HELO - 250
        21:50:05 204.13.249.92 MAIL - 250
        21:50:06 204.13.249.92 RCPT - 250
        21:50:06 204.13.249.92 QUIT - 240
        21:50:07 204.13.249.92 EHLO - 250
        21:50:07 204.13.249.92 MAIL - 250
        21:50:07 204.13.249.92 RCPT - 250
        21:50:07 204.13.249.92 DATA - 250
        21:50:07 204.13.249.92 QUIT - 240
        21:50:09 204.13.249.92 HELO - 250
        21:50:09 204.13.249.92 MAIL - 250
        21:50:09 204.13.249.92 RCPT - 250
        21:50:09 204.13.249.92 QUIT - 240
        21:50:10 204.13.249.92 EHLO - 250
        21:50:10 204.13.249.92 MAIL - 250
        21:50:10 204.13.249.92 RCPT - 250
        21:50:10 204.13.249.92 DATA - 250
        21:50:10 204.13.249.92 QUIT - 240
        21:50:10 204.13.249.92 HELO - 250
        21:50:10 204.13.249.92 MAIL - 250
        21:50:11 204.13.249.92 RCPT - 250
        21:50:11 204.13.249.92 QUIT - 240
        21:50:13 204.13.249.92 EHLO - 250
        21:50:13 204.13.249.92 MAIL - 250
        21:50:13 204.13.249.92 RCPT - 250
        21:50:13 204.13.249.92 DATA - 250
        21:50:13 204.13.249.92 QUIT - 240
        21:50:13 204.13.249.92 HELO - 250
        21:50:13 204.13.249.92 MAIL - 250
        21:50:13 204.13.249.92 RCPT - 250
        21:50:13 204.13.249.92 QUIT - 240
        21:50:17 204.13.249.92 HELO - 250
        21:50:17 204.13.249.92 MAIL - 250
        21:50:17 204.13.249.92 RCPT - 250
        21:50:17 204.13.249.92 QUIT - 240
        21:50:19 204.13.249.92 HELO - 250
        21:50:19 204.13.249.92 MAIL - 250
        21:50:19 204.13.249.92 RCPT - 250
        21:50:19 204.13.249.92 QUIT - 240
        21:50:22 204.13.249.92 HELO - 250
        21:50:22 204.13.249.92 MAIL - 250
        21:50:22 204.13.249.92 RCPT - 250
        21:50:22 204.13.249.92 QUIT - 240
        21:50:25 204.13.249.92 HELO - 250
        21:50:25 204.13.249.92 MAIL - 250
        21:50:25 204.13.249.92 RCPT - 250
        21:50:25 204.13.249.92 QUIT - 240
        21:50:31 204.13.249.92 HELO - 250
        21:50:31 204.13.249.92 MAIL - 250
        21:50:31 204.13.249.92 RCPT - 250
        21:50:31 204.13.249.92 QUIT - 240
        21:50:40 204.13.249.92 HELO - 250
        21:50:40 204.13.249.92 MAIL - 250
        21:50:40 204.13.249.92 RCPT - 250
        21:50:40 204.13.249.92 QUIT - 240
        21:50:49 204.13.249.92 HELO - 250
        21:50:49 204.13.249.92 MAIL - 250
        21:50:49 204.13.249.92 RCPT - 250
        21:50:49 204.13.249.92 QUIT - 240
        21:50:50 205.158.62.177 - - 0
        21:50:50 205.158.62.177 EHLO - 0
        21:50:50 205.158.62.177 - - 0
        21:50:50 205.158.62.177 MAIL - 0
        21:50:59 204.13.249.92 HELO - 250
        21:50:59 204.13.249.92 MAIL - 250
        21:50:59 204.13.249.92 RCPT - 250
        21:50:59 204.13.249.92 QUIT - 240
        21:51:01 205.158.62.177 - - 0
        21:51:01 205.158.62.177 RCPT - 0
        21:51:02 205.158.62.177 - - 0
        21:51:02 205.158.62.177 RSET - 0
        21:51:02 205.158.62.177 - - 0
        21:51:02 205.158.62.177 QUIT - 0
        21:51:02 205.158.62.177 - - 0
        21:51:25 217.218.172.241 xxxx - 500
        21:51:31 217.218.172.241 HELO - 250
        21:51:33 217.218.172.241 MAIL - 250
        21:51:38 217.218.172.241 RCPT - 250
        21:51:44 217.218.172.241 DATA - 250
        21:51:47 217.218.172.241 QUIT - 240
        21:52:57 216.9.146.117 EHLO - 250
        21:52:57 216.9.146.117 MAIL - 250
        21:52:57 216.9.146.117 RCPT - 0
        21:52:57 216.9.146.117 QUIT - 240
        21:53:12 204.13.249.92 EHLO - 250
        21:53:14 204.13.249.92 MAIL - 250
        21:53:14 204.13.249.92 RCPT - 250
        21:53:14 204.13.249.92 DATA - 250
        21:53:16 204.13.249.92 QUIT - 240
        21:53:17 194.25.134.8 - - 0
        21:53:17 194.25.134.8 EHLO - 0
        21:53:17 194.25.134.8 - - 0
        21:53:17 194.25.134.8 MAIL - 0
        21:53:17 194.25.134.8 - - 0
        21:53:17 194.25.134.8 RCPT - 0
        21:53:17 194.25.134.8 - - 0
        21:53:17 194.25.134.8 RSET - 0
        21:53:17 194.25.134.8 - - 0
        21:53:17 194.25.134.8 QUIT - 0
        21:53:17 194.25.134.8 - - 0
        21:53:38 204.13.250.92 EHLO - 250
        21:53:38 204.13.250.92 MAIL - 250
        21:53:38 204.13.250.92 RCPT - 250
        21:53:38 204.13.250.92 DATA - 250
        21:53:38 204.13.250.92 QUIT - 240
        21:54:07 204.13.249.91 EHLO - 250
        21:54:07 204.13.249.91 MAIL - 250
        21:54:07 204.13.249.91 RCPT - 250
        21:54:07 204.13.249.91 DATA - 250
        21:54:07 204.13.249.91 QUIT - 240
        21:55:21 85.99.97.122 EHLO - 250
        21:55:21 85.99.97.122 MAIL - 250
        21:55:24 85.99.97.122 RCPT - 250
        21:55:28 85.99.97.122 DATA - 250
        21:55:28 85.99.97.122 QUIT - 240
        Network Engineers do IT under the desk

        Comment


        • #5
          Re: Possible spam in Exchange queue

          That's quite a log you have there.

          In your SMTP protocol log, can you include the URI Stem and URI Query (i forget exactly which one includes the SMTP option.

          It does not look like the messages are being rejected, because in the MAIL command, the protocol status would be 550 (that is for relay denied or message not accepted).

          Jim McBee
          Blog: http://mostlyexchange.blogspot.com

          Comment


          • #6
            Re: Possible spam in Exchange queue

            I signed this customer up with dyndns.org who offer a secondary mail service for $29 year. The primary MX record for my customer is mail.thistlewoodtimberframe.com and the secondary MX record is mx2.mailhop.org
            The dyndns.org company will spool our SMTP traffice if the server were to ever go down.

            This morning I looked in the mail queue and there is a message destined for tde.net that is stuck in there. I then searched the SMTP logs for tde.net and this is what I found:

            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 HELO - +mx2-iad1.mailhop.org SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 MAIL - +FROM:<[email protected]> SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 RCPT - +TO:<[email protected]> SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 QUIT - mx2-iad1.mailhop.org SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 EHLO - +mx2-iad1.mailhop.org SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 MAIL - +FROM:<[email protected]> SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 RCPT - +TO:<[email protected]> SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 DATA - +<[email protected]> SMTP - - -
            63.170.10.91 mx2-iad1.mailhop.org SMTPSVC1 TWOODSBS 192.168.1.10 0 QUIT - mx2-iad1.mailhop.org SMTP - - -

            It looks as if mail is originating from out backup SMTP server mx.mailhop.org. This morning I contacted the company that hosts the DNS and had them remove the secondary MX record as an experiment.

            My SMTP logs have many, many entries from mx2-iad1.mailhop.org and it seems the only time I should be getting e-mail from that SMTP server is if our server goes down.

            What's your take on this?
            Network Engineers do IT under the desk

            Comment

            Working...
            X