Internal Spam Source?
Hello,
Our Exchange 2003 (running on SBS 2003) server has been blacklisted. It started last week. The are no open relays, port 25 is blocked on our firewall for all computers except for our SBS server. We scanned our workstations/laptops with System
Essentials and malwarebytes which found some trojans. they have been cleaned and rescanned but we are still somehow sending out spam. We have been listed on CBL. I have checked the SMTP log and find some entries that have an outside source address as well
as an outside/external recipient address but I do not know how to locate or determine if this is sent by a client on our network or even our SBS server.
Any ideas on how to identify the source of our spam?
Thank you
April 25th, 2011 4:19pm
Highly unlikely to be coming from inside.
Spam doesn't work like that. They usually have their own internal SMTP engine and will try and send email directly via port 25, which you have blocked. Any other way means the trojan has to
a. Find the server
b. Know what server it is
c. Then try and send the email.
That isn't going to happen because in a corporate environment it is very easy to get blocked.
The most likely cause is going to be authenticated relay. This is enabled by default on Exchange 2003. A user account, probably the administrator account, has been compromised and the spam is being sent with it directly from outside.
If you have messages building up in the queues, then you can look in \exchsrvr\mailroot\vs 1\queue . Drop one of the messages in to a notepad and then look at the raw headers. That should show you the external IP address the message originated from.
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
April 25th, 2011 4:37pm
Thanks Simon,
So far there is only one message in the queue. Since everyone has left for the day I have blocked outgoing SMTP on our firewall and the only message that appears to be spam is in a SmallBusiness SMTP Connector for gmail.com. This message is from an external
IP and the recipient is for a contact that has a gmail account. I've been searching all over trying to find out what is causing our server to get blocked and am stumped.
Any idea on how or if we could find out what account has been compromised?
Thanks again.
John
April 25th, 2011 9:23pm
Server's do not get blacklisted, IP addresses do.
If your server was being abused you would know about it, as the queues would be full of junk - spammers lists are not that clean. If the queues are clear then it is a workstation directly sending the messages, and your firewall blocking isn't as you expected.
A decent firewall that can block and report on the traffic will identify the source of the traffic.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
April 26th, 2011 5:56am
Hi John,
How to understanding the smtp log, please refer to below:
http://support.microsoft.com/kb/155455
If there are some spam email sent out, the log would show the detailed information.
If there are no information throught exchange log, we may be need use other tool to retrieve the session on the port to confirm the issue.
Such as netmon and so on.
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 27th, 2011 4:39am
I had a simular issue with a customer not long ago. Whilst the Exchange was clean, spam email was being sent out directly from a client machine to the outside world. Check your firewall for any very active users I guess.
Free Windows Admin Tool Kit Click here and download it now
April 27th, 2011 3:40pm
What if you enable logging for the IIS logs to include IP address, when you relay, it should log the source IP/computer name
Sukh
April 27th, 2011 5:49pm
Thanks for the responses, ended up reseting account passwords and monitoring the logs. We also had 2 users on leave who had an Out of Office setup to their mailboxes, they received spam and I thought that the Out of Office reply could generate spam.
So I delisted our server and all was fine for 4 days then I come in this morning to find that we have once again been listed at CBL (no others have us listed - at least not yet). I have disabled inbound and outbound SMTP on the firewall (Cisco ASA 5510) as
well as disabled outbound mail on our Exchange server (which is a 2003 SBS server). I have wireshark running on the network adapter of our server and have not seen any SMTP traffic since disabling on the firewall. The mail queus in Exchange do not have any
spam in them. I am completely at a loss as to what is causing this. I have email CBL twice (from my gmail account) hoping that they could give me some information as to why/what caused our IP to be blocked but I have not heard back from them yet.
I have tested trying to telnet via 25 to an outside server from my workstation and the connection was refused so it appears that the firewall is setup correctly but since I have very limited experience with the ASA I could be mistaken.
The only other thing I can think of is that the SBS Server is infected with something. I have scanned this server with GFI Vipre, malwarebytes and MS Malicious software removal so far nothing. I will take a look at the article that Gavin has referenced and
go fro there. Besides that - any other suggestions?
Thanks again.
Free Windows Admin Tool Kit Click here and download it now
May 2nd, 2011 8:32pm
Hi jaf3528,
I would suggest that you could wait for the information of the CBL, sometimes maybe some mistake about the old spams that they retrieved.
Or, you could enable the email system, and then retrieve some information on the outbound port of your network through the network monitor tool.
Regards!
GavinPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
May 2nd, 2011 10:29pm
Well, I did find some unusual traffic in Wireshark that was coming from a server on TCP. And after reading the aritcle from Simon I did find quite a few SMTP logons in the Event log from the server with the unusual traffic for a service account. That server
has been turned off and will be removed since it is no longer being used. I also reset the password for that account and in Exchange removed the option for "Allow all computers that successfully authenticate to relay.." and created a security group
to use for relay authentication.
So hopefully this is the last of it, although I have thought that before. Thanks for all of the help.
Free Windows Admin Tool Kit Click here and download it now
May 3rd, 2011 2:55pm