RE: OMA and Outgoing Spam

---

• From: Doc <Doc@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Tue, 19 Sep 2006 08:19:02 -0700

---

Chace,
Thanks so much for the response! The outgoing SPAM was discovered using the
message tracking tool and noting a great deal of activity after-hours. I
really have no way of seeing the actual email message as the SPAM appears to
be spoofing the user in question, i.e., the "from" and "to" fields are the
same yet the message is being sent via SMTP to njbrwigsp2-13 (can be any
server with this name from 2 to 13). I've got recipient filtering established
and I also have the relay option turned off. Additionally I'm running the IMF
on all inbound mail...

Thanks again!
Doc

"chace zhang" wrote:

Hi,

Thank you for posting here.

According to your description, I understand one user sends SPAM email to
external user. If I'm off base, please feel free to let me know.

In order to get a clear picture on this issue, please help me gather
following questions for further analysis:

1. What the detailed SPAM content? Can you forward the message to me as
*.msg?
2. Are there any obvious symptoms on your Exchange Server, do you find a
lot of NDR are sent to destination Domain?
3. What the version of your SBS Server, Standard or Premium?

In general, to identify the sender of the spam emails, I would suggest you
follow the action plan below.

Action Plan
=========
Step 1
=====
It seems that you have found the spam emails in the queue viewer
(ESM/Servers/<Server>/Protocols/SMTP/SMTP virtual servers/<SMTP virtual
server>/Queues/<Queue>). You can open the message in the problematic queue
and find the spam sender in the Properties/General tab/Sent from.

Step 2
=====
When you find the sender of the spam emails, please scan for viruses and
Trojans on the problematic workstation. Also, since the viruses are always
propagating themselves throughout the whole network, I would suggest you
scan all computers for viruses.


Actually, Exchange 2003 server has a capability to block the emails that
are sent to non-existent user accounts in your domain (Filter recipients
who are not in the Directory check box). For more information, please refer
to the following article.

886208 Exchange queues fill with many non-delivery reports from the
postmaster
http://support.microsoft.com/?id=886208


For all the Exchange 2003 anti-spam capabilities, please see:

Antispam Capabilities in Exchange Server 2003
http://www.microsoft.com/exchange/evaluation/features/antispam.mspx

I would like to suggest checking this setting via the following KB article.

324958 HOW TO: Block Open SMTP Relaying and Clean Up Exchange Server SMTP
http://support.microsoft.com/?id=324958

Furthermore, following article may help you to secure your exchange network.


Exchange Server 2003 Security Hardening Guide
http://www.microsoft.com/downloads/details.aspx?FamilyID=6A80711F-E5C9-4AEF-
9A44-504DB09B9065&displaylang=en


If you have any questions or concerns related to this issue, please let me
know.

I appreciate your time and look forward to hearing from you.

Best Regards,


Best Regards,

Chace Zhang (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: OMA and Outgoing Spam
| thread-index: Acbbb5vzjzDhJgd7R7WttGCpdzCPNQ==
| X-WBNR-Posting-Host: 63.150.7.130
| From: =?Utf-8?B?RG9j?= <Doc@xxxxxxxxxxxxxxxxxxxxxxxxx>
| Subject: OMA and Outgoing Spam
| Date: Mon, 18 Sep 2006 15:13:03 -0700
| Lines: 10
| Message-ID: <FB2173A3-9E78-47F0-B2A9-31E74E150F8B@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830
| Newsgroups: microsoft.public.windows.server.sbs
| Path: TK2MSFTNGXA01.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:298475
| NNTP-Posting-Host: TK2MSFTNGXA01.phx.gbl 10.40.2.250
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Greetings,
| I was able to track down the source of some persistent outgoing SPAM.
It's
| originating from OMA. Basically it looks like another server is spoofing
the
| one account I have enabled for OMA and sending outbound email. IF I
disable
| this Exchange feature the SPAM goes away. I have left this feature turned
off
| for well over a week and no SPAM.. Within a few hours of turning the
feature
| back on I'm sending SPAM again and it's always to the same SMTP server...
| Any suggestions as to what I can do stop it?
| Thanks,
| Doc
|

.

---

• Follow-Ups:
  • RE: OMA and Outgoing Spam
    • From: chace zhang

• References:
  • RE: OMA and Outgoing Spam
    • From: chace zhang

• Prev by Date: Relaying via handheld
• Next by Date: Re: Some clients can't access server
• Previous by thread: RE: OMA and Outgoing Spam
• Next by thread: RE: OMA and Outgoing Spam
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: OMA and Outgoing Spam ... In general, to identify the sender of the spam emails, I would suggest you ... 886208 Exchange queues fill with many non-delivery reports from the ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Re: Out of Office Auto Reply ... It all depends on your version of Outlook and if you have a Whitelist. ... I don't know about "all the types of spam" but you can experiment to see what works and what doesn't. ... | You will need exceptions - and hopefully your Exchange admin has put ... are not the ones to which those auto-responses get sent. ... (microsoft.public.outlook) Re: More SPAM ... Exchange 2003 offers allot of additional spam control features that exchange ... The content filter within Panda offers a good capability for setting up ... (microsoft.public.exchange2000.general) Re: Administrator account hijacked? ... Disabling NDR on Exchange 2003 ... Non-delivery reports have a very legitimate purpose and are used to notify senders of any errors that may have been encountered during message delivery. ... Most anti-spam software does not attempt to filter non-delivery reports for spam content. ... (microsoft.public.windows.server.sbs) Re: Excessive queue length in SBS2K3 ... Spam e-mail is created with the intended spam victim's address in the ... To protect your server from spam email on Exchange, ... Microsoft Exchange Intelligent Message Filter is a product ... Excessive queue length in SBS2K3 ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)