DNS Black list, i.e. organizations that list your server as being bad and therefore others that pull information from those black list will not allow your email be sent to their systems. here is some additional info http://en.wikipedia.org/wiki/DNSBL You mentioned early on that "you contacted the admins of some of these offending IPs and they are infected machines" and that you disconnected them. Where were these machines located? If you have stopped the problems machines from spamming on your network then you can see what list you are on use this site http://www.mxtoolbox.com/blacklists.aspx and then depending upon who's list your on you can write an email to the appropriate party to tell them what you did to overcome the problem and then beg forgiveness. Be prepared to be chastised by them since that seems to be par for the course, just bite be sincere with your apology and usually sometime within 24-72 hours they will de-list you. NOTE: if you have not taken care of all the offending machines do so before you contact the list holders, else they will not have mercy upon you and instead will rip you up one side and down the other...Troy Werelius www.Lucid8.com Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

On Tue, 10 Jan 2012 00:07:15 +0000, HankVatJr wrote: >The offending IPs are not within our small network. Okay, so no tell us how your machine is sending the spam. Is it because you don't do recipient filtering and your server is accepting e-mail it can't deliver and then sending a NDR to the (forged) e-mail address of the sender? If that's the case, enable recipient filtering and stop accepting e-mail you can't deliver. >I have changed all users passwords, What about passwords that don't belng to "users"? Postmaster, webmaster, hostmaster, admin, administrator, IWAM_<server>, IUSR_<server>, ASPNET, etc. Is the guest account enabled? If you think the spammers are using AUTH then jack up the diagnostics logging level on the MSExchangeTransport object's "SMTP protocol" and "Authentication" categories. That'll log authentication in the application log (the SMTP protocol log should also be logging those AUTH command *and* the base64-encoded user and password they're using). >swept the entire network for virus infection Well, if the stuff is coming from outside your organization that's not a bad thing to do, but it's not going to help. >and ran several tests to determine if we are an open relay (no). Did those tests try AUTH with common attack vectors? >I would like to set it up so only our users can send mail through the server. I dont know quite how to do this but is it a good idea? No, it's not -- if by "send mail" you mean "user POP/IMAP clients". Use RPC-over-HTTPS from Outlook or OWA. Drop the ability for anyone outside your own LAN to use your server as a SMTP relay. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, You can post this thread to SBS forum to get more: http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads Hope it helps. ThanksSophia Xu TechNet Community Support

Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem. What can I do to stop this from happening. We are getting gray and blacklisted because of this problem. Really stuck here..... Late to the party, yet hope to be of some help; start by ensuring that your server is only allowing relay to authenticated connections, proceed by forcing a password reset for ALL your user accounts (enforce the password complexity rules to avoid short or too simple passwords); done that, check that your server isn't an open relay by using this online tool (just enter your server IP or name and click the "test" button) and, in case the checks fail, proceed fixing the configuration; done that, go on reading here and here (including the links found at both URLs) and configuring the exchange spam filter to reject junk messages; once completed, check if the problem is solved, if not, enable the SMTP full logging and look at the generated logfiles to see "how" those external IPs are able to relay through your server (in case of doubt, feel free to post log snippets here - use the "insert code block" button to do so, please); if all ok, open this site, enter your IP address and check if your IP is blacklisted and, if so, proceed removing it from the relevant blacklists (notice that, as already suggested, this should be the LAST step and you must ensure that you solved the issue BEFORE attempting to remove your IP from blacklists)

Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem. What can I do to stop this from happening. We are getting gray and blacklisted because of this problem. Really stuck here.....

Deploy AV on the client machines. Deploy AV/AS product on your exch server (SBS). Sukh

Sukh provided you some excellent information and for the client machines Microsoft Security Essentials works great and its free! You may also want to; 1. Change the passwords for all users since they may be compromised 2. Check to ensure your exchange server is not set as an open relay http://support.microsoft.com/kb/324958 Troy Werelius www.Lucid8.com Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

On Mon, 9 Jan 2012 16:21:44 +0000, HankVatJr wrote: >Have an exchange server running on SBS 2003. We have had an issue with spam being sent from this server. It is always from different IP Addresses. I have contacted the admins of some of these offending IPs and they are infected machines. I have blocked their connections on a one-by-one basis but this is a recurring problem. Are those IP address in YOUR network? The way that you describe the problem makes it sound as if you're accepting e-mail sent to addresses that don't exist in your directory. YOu shuld be able to fix that pretty easily by enabling recipient filtering and refusing to accept e-mail you can't deliver to local mailboxes. Of course, this being SBS, there's probably some sort of wizard that you'll have to use rather than the Exchange System Manager -- so you should move your question to the SBS forum whenre you should get an suitable answer for your environment. >What can I do to stop this from happening. We are getting gray and blacklisted because of this problem. If you're not already using any DNSBLs (I'm not a big fan of them), consider using one or two. Again, asking how to do this in the SBS forum would get you a more accurate answer. If you're not using the Exchange Intelligent Mail Filter, enable it. Again, asking in the SBS forum for instruction rather than using the ESM and risking causing problems that a "wizard" would know how to avoid. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Thanks, The offending IPs are not within our small network. I have changed all users passwords, swept the entire network for virus infection and ran several tests to determine if we are an open relay (no). I would like to set it up so only our users can send mail through the server. I dont know quite how to do this but is it a good idea?

I have done both of these recently and has not made a difference. (not an open relay)

This deployment has been done and all is infection free

Whate are DNSBLs?

DNS Black list, i.e. organizations that list your server as being bad and therefore others that pull information from those black list will not allow your email be sent to their systems. here is some additional info http://en.wikipedia.org/wiki/DNSBL You mentioned early on that "you contacted the admins of some of these offending IPs and they are infected machines" and that you disconnected them. Where were these machines located? If you have stopped the problems machines from spamming on your network then you can see what list you are on use this site http://www.mxtoolbox.com/blacklists.aspx and then depending upon who's list your on you can write an email to the appropriate party to tell them what you did to overcome the problem and then beg forgiveness. Be prepared to be chastised by them since that seems to be par for the course, just bite be sincere with your apology and usually sometime within 24-72 hours they will de-list you. NOTE: if you have not taken care of all the offending machines do so before you contact the list holders, else they will not have mercy upon you and instead will rip you up one side and down the other...Troy Werelius www.Lucid8.com Search, Recover, & Extract Mailboxes, Folders, & Email Items from Offline EDB's and Live Exchange Servers with Lucid8's DigiScope

On Tue, 10 Jan 2012 00:07:15 +0000, HankVatJr wrote: >The offending IPs are not within our small network. Okay, so no tell us how your machine is sending the spam. Is it because you don't do recipient filtering and your server is accepting e-mail it can't deliver and then sending a NDR to the (forged) e-mail address of the sender? If that's the case, enable recipient filtering and stop accepting e-mail you can't deliver. >I have changed all users passwords, What about passwords that don't belng to "users"? Postmaster, webmaster, hostmaster, admin, administrator, IWAM_<server>, IUSR_<server>, ASPNET, etc. Is the guest account enabled? If you think the spammers are using AUTH then jack up the diagnostics logging level on the MSExchangeTransport object's "SMTP protocol" and "Authentication" categories. That'll log authentication in the application log (the SMTP protocol log should also be logging those AUTH command *and* the base64-encoded user and password they're using). >swept the entire network for virus infection Well, if the stuff is coming from outside your organization that's not a bad thing to do, but it's not going to help. >and ran several tests to determine if we are an open relay (no). Did those tests try AUTH with common attack vectors? >I would like to set it up so only our users can send mail through the server. I dont know quite how to do this but is it a good idea? No, it's not -- if by "send mail" you mean "user POP/IMAP clients". Use RPC-over-HTTPS from Outlook or OWA. Drop the ability for anyone outside your own LAN to use your server as a SMTP relay. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hi, You can post this thread to SBS forum to get more: http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/threads Hope it helps. ThanksSophia Xu TechNet Community Support

Cab you give an example of a message which is sent out? Can you show the from and to headers?Sukh