Re: Spam Problem

From: Jim Behning SBS MVP <jimbehning@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 03 Feb 2008 09:17:19 -0500

On Sun, 3 Feb 2008 10:58:25 +1100, "JohnG" <john@xxxxxxxxxxx> wrote:

SBS 2003, Exchange SP2, ISA 2004

Our IP has been blocked on and off for a few days because of reports of
spam. I have checked the queues and I can see a handful of bogus emails -
coming from bogus users not in the domain and going out.

I have checked the relay settings, only the internal IP is listed in the
relay and Allow users who authenticate is checked on - Previously checked
off but after doing some reading it was suggested (by Microsoft) to check it
on. In either setting didn't make a difference.

I don't think we are relaying from external because it only happens during
business hours (whilst users are logged in). I have done a virus scan on
desktop/servers several times and the site appears to be clean of Virus
anyway. I have switched on SMTP logging to try and fault find nothing yet

Any suggestions where to start? How can I tell which internal IP address is
submitting these emails to the queue - SMTP doesn't appear to show this?
It's not consistent enough to work out exactly which PC

Initially all the email were going to a domain striker.ottawa.on.ca - so I
blocked it and this temporarily resolved it. However the emails are now
going to other addresses.

Help please!

I do not have the authorized users checked. If you have lame passwords
then that is an easy way to relay off your server. Even if you have
good passwords I see no reason to allow authorized users to relay. My
authorized users are supposed to be using Outlook.

I look at the network switch for excessive activity. Often an infected
machine will blink a lot more than a safe machine.

I like the centrally located anti-virus solution which gives me a
report of all workstations. I can also scan all workstations from one
that av server. End users sometimes complain about workstation speed
when this is happening. Counterspy is a nice tool in addition to
antivirus software.

End user might complain that their machine is working slow.

Attach a laptop to a hub which is between the external router and the
internal network. Run Wireshark to watch traffic. You may see the
infected machine. Only your Exchange server should be generating smtp
traffic if all the workstations are supposed to be using
Outlook/Exchange.
.

References:
- Spam Problem
  - From: JohnG

Prev by Date: Re: Vista droping connection
Next by Date: Re: Vista droping connection
Previous by thread: Re: Spam Problem
Next by thread: Re: Spam Problem
Index(es):
- Date
- Thread

Relevant Pages

Re: Suddenly Emails Bouncing
... It appears that Comcast has pissed off MSN. ... emails from Comcast's SMTP servers. ... I relay all my server's mail through Comcast's servers just to avoid ...
(comp.os.linux.misc)
Re: Lot of QUEUE in SMTP
... I saw the Relay seems to be ok there. ... -Right-click Default SMTP Virtual Server, ... > removing the anonymous authentication is a bad thing since people on ... >>recieve all the emails in hap hazard manner. ...
(microsoft.public.exchange2000.general)
Re: Securing SMTP Relay
... Some emails will be discarded internally, a serious relay test site will ... you'll have to signup to get a proper report from it: ...
(microsoft.public.inetserver.iis.smtp_nntp)
Re: Mail filtering with Exchange
... Neither Exchange nor any other email system I am aware of allows relay ... > I have a client who is running Small Business Server 2000, using Exchange ... > the emails, so it appears to come from user@my-company.com.au. ...
(microsoft.public.backoffice.smallbiz2000)
Re: Exchange Server 6.5 pop relay
... Note that if you have infected workstations, ... Just the server and ... Workstations should be fairly quiet. ... Closing the relay does not fix my problem. ...
(microsoft.public.windows.server.sbs)