Re: Is my server hijacked or is it spammed

---

• From: tony.newsgrps@xxxxxxxxx
• Date: 24 Jul 2006 16:49:41 -0700

---

Bahrat, thanks for the quick reply.

About the memory: what bothers me is that I some times get error
messages from Windows telling me I'm running out of memory...
About the Queued mail, the sender is the fake user I mentioned:
fakeName@MyPublicIP.
It doesn't seem to be an internal user because the fake name is
completely random and it's using my public ip instead of my domain
name.
Also, in the SMTP log file I clearly see entries refering to that fake
name and the ip address for the sender is not part of my subnet.
I'm pretty sure I disabled relay except for specific computers in my
subnet as well as any authenticated user. So I don't understand why I
see these lines in the log file.
Here is a copy of these lines:
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "MAIL
-?+FROM:<U840B159@[My Public IP]> SMTP" 250 48
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<yangtao_621@xxxxxxxxx> SMTP" 250 34
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<linst@xxxxxxxxx> SMTP" 250 28
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<abpa@xxxxxxxx> SMTP" 250 26
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<szgdcpt@xxxxxxxxx> SMTP" 250 30
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<bgowi@xxxxxxxxxxxx> SMTP" 250 31
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<wounding@xxxxxxxx> SMTP" 250 30
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<aslik@xxxxxxxxxxxx> SMTP" 250 31
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<chenmj@xxxxxxxxxxxxxxxxxx> SMTP" 250 38
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:06 -0500] "RCPT
-?+TO:<axuvi@xxxxxxxxxxxx> SMTP" 250 31
211.151.92.9 - ameillpu-7jat6i [24/Jul/2006:06:37:08 -0500] "DATA
-?<EXCHANGE1eCfy5BHndN0000000f@[www.myPublicDomainName> SMTP" 250 131

Any clue?
Tony.

Bharat Suneja [MVP] wrote:

Memory: Exchange will use all it has available, but can dynamically release
memory for other processes should these be running.
Queued mail: Open these messages and figure out where they're coming from.
Do they look like NDRs? If yes, enable Recipient Filtering - drop messages
for recipients not found in Directory (AD) from Global Settings - Message
Delivery properties | Recipient Filtering, and enable Recipient Filtering on
SMTP virtual server properties | General tab | Advanced | select IP address
| Edit.
If these appear to be originating from some internal host, check the host
for possible infection.

--
Bharat Suneja
MVP - Exchange
www.zenprise.com
NEW blog location:
www.exchangepedia.com/blog
----------------------------------------------


<tony.newsgrps@xxxxxxxxx> wrote in message
news:1153779975.250800.157220@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi there,

I have some strange emails queued on my exchange server and I can't
figure out if someone if using my server to send spam or if he/she is
doing some sort of spam attack.

I believed my smtp server is configured properly (ie users from the
internet must first authenticate before they want to send email through
my server)
Yet, when I look at the smtp queue, I see a lot of emails pending.

All emails originate from the same fake user:
fakeName@MyPublicIPAddress and are sent to what appear unlikely
recipients: vv ss@xxxxxxx, jqy@xxxxxxxxxxxxxxx ... (note that I
slightly changes the domain names in cases these are real addresses).

Where do you think these emails are coming from? Is some one using my
exchange server to send spam or is it some sort of
postmaster@xxxxxxxxxx variation to be able to send me spams?

Any feedback greatly appreciated.

Bonus question (might be related): My exchange server seems to be
leaking memory.... It grows to 1.1GB of memory usage quickly yet we're
a very small organization ( 20 pple). Is it what I should be expecting?

Thank you,
Tony.

.

---

• Follow-Ups:
  • Re: Is my server hijacked or is it spammed
    • From: Bharat Suneja [MVP]

• References:
  • Is my server hijacked or is it spammed
    • From: tony . newsgrps
  • Re: Is my server hijacked or is it spammed
    • From: Bharat Suneja [MVP]

• Prev by Date: Re: Locale question
• Next by Date: Re: Exchange Filter
• Previous by thread: Re: Is my server hijacked or is it spammed
• Next by thread: Re: Is my server hijacked or is it spammed
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Receiving thousands of System Administrator messages in e-mail ... Spammer sends 10,000 emails to a bad addresses at your company, i.e. ... Spammer configures the spam email to fool your exchange server into ... so sends the NDR to the sender which of course is actually the target ... (microsoft.public.windows.server.sbs) Re: GFI Mail Essentials ... Wow, Vamsoft is pretty nice. ... onto the Exchange server. ... > cracked our spam problems. ... >> five more emails, some in HTML, some in RTF, others in Text. ... (microsoft.public.exchange.admin) Re: GFI Mail Essentials ... Wow, Vamsoft is pretty nice. ... onto the Exchange server. ... > cracked our spam problems. ... >> five more emails, some in HTML, some in RTF, others in Text. ... (microsoft.public.exchange2000.admin) Re: How to handle SPAM? ... exchange server after properly filtering out the bad emails and only sending ... what is spam and what is not spam. ... spam999free@xxxxxxxxxx (remove 999 for proper email address) ... (microsoft.public.exchange.admin) Re: Is my server hijacked or is it spammed ... Memory: Exchange will use all it has available, ... I have some strange emails queued on my exchange server and I can't ... Yet, when I look at the smtp queue, I see a lot of emails pending. ... (microsoft.public.exchange.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Exchange  > microsoft.public.exchange.admin  > 2006-08