No announcement yet.

Spam Issues on LAN

  • Filter
  • Time
  • Show
Clear All
new posts

  • Spam Issues on LAN

    Hello All,

    We have an Exchange 2010 server setup. Recently we have been having

    queues to so many domains and have always been on the Spam Block List

    which is causing bad reputation on the IP address. I checked if open relay is

    enabled, and proved out blocked on the server. What could be throwing Spam

    out from my network even with the firewall and anti-spam modules installed.

    My Receive Connectors (Client & Default) are configured as Follows: Checked (TLS, Basic Authentication: Offer Basic authentication only after starting TLS, Exchange Server Authentication, Integrated Windows authentication).

    How can I pin down the system/systems sending out spam mails out on the

    internet? Thanks.
    Last edited by nukunu; 10th January 2012, 18:45. Reason: typing error

  • #2
    Re: Spam Issues on LAN

    Do some traffic sniffing and see which LAN IP it is coming from
    Also look at message logs on the Exchange server and confirm it is not coming from there
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Spam Issues on LAN

      I would be really surprised if it was a local system doing this. I don't think I have ever seen a local system send spam through Exchange.
      A spammer has to
      a. Compromise a system inside your network.
      b. Find Exchange
      c. Send the email.

      All of the above leaves traces behind and can be easily stopped. The last thing a spammer wants to do is leave a trace behind.

      Or they could just use their own SMTP engine and send the email directly.

      I expert it will be the usual, a user account has been guessed and you are allowing authenticated relaying on one of the connectors and the spam is being sent that way.

      Simon Butler
      Exchange MVP

      More Exchange Content:
      Exchange Resources List:
      In the UK? Hire me:

      Sembee is a registered trademark, used here with permission.


      • #4
        Re: Spam Issues on LAN

        Hello Simon,

        How can I counter this impersonation issue. How can I further restrict the receive

        connectors since this is a real issue in my environment?.



        • #5
          Re: Spam Issues on LAN


          You have to find out which machine is sending SPAM.
          I am 100% sure that Exchange is NOT sending SPAM.
          But you have Exchange on same network that other LAN machines and also same public IP address. That is why you made it on a blacklist.

          You have 2 options:

          1. Infected machine(s) in LAN sending out SPAM
          Solution: block outgoing SMTP on firewall EXCEPT for Exchange server, find infected machine and clean it. I`ve seen number of Rustock infected machines sending out spam.

          2. Compromised account on your domain.
          Solution: Check Exchange log files as others suggested and find out who it is.

          I have had 1 case like this in my honeypot enviroment
          User Administrator password 12345. 1,5 months later, account abused and tons and tons of spam have been blocked by my firewall :=) Of course I haven`t allowed spam to be sent to recipients

          My suggestion would it be to BLOCK and LOG port 25 on firewall if allows it. This way you will found out who tries to connect out via SMTP and you can investigate this machine on your LAN...