Outbound mail queue keeps building with spoofed senders
SBS2003 server, Exchange v6.5 SP2
We have noticed that on two or three occasions in the last year thousands of SMTP connectors are appearing that are trying to send spam email from spoofed senders.
We have performed full virus scans on all PC's on the network and performed an open relay test on the server. Both have passed as ok.
Last Friday we cleared out all the spam in the outgoing connectors and mail began to flow properly again. Over the weekend all the client PC's in the Office were turned off and no VPN connections were made in from the outside world.
Come Monday morning there were once again approximately 6000 emails waiting to send to a gmail address from the postmaster account, the connection with the remote server had timed out.
We have peformed full scans for viruses and malware and nothing has been found.
We used wireshark to scan the network to try to find the source of the emails but nothing was found.
The queue has not grown again since yesterday, but what worries me is that I have not found out what caused the issue either. I dont want to request de-listings from the spam blacklists we have found ourselves on until I have got to the root of the
problem, otherwise we may find ourselves back there again.
Any suggestions or similar experiences?
Apologies if this in the wrong place but I am new to this forum and wasnt quite sure where it should go.
March 29th, 2011 6:57am
Are you sure that this is spam mail and not NDR responses to messages with forged headers?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 11:47am
Thankyou Ed, to be honest I dont, now I have cleared out the queue, I'm sure the clue would have been there. If it builds again I will look to see if there are any codes to go on.
What I can tell you however is that Recipient filtering is on and the tarpit value is set to 5 seconds.
The server IS set to send NDR's. I'm not sure if I want to turn this off though as then genuinely mis-addressed emails will have no knowledge that their mail has not got through.
The server is also running Pure Message.
I know that in Exchange 2007 it can be set to not send NDR's to spoofed senders, but alas no such luxurry here as far as I can tell!
March 29th, 2011 12:24pm
You might want to invest in an antispam solution.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 12:58pm
Hi,
Besides Recipient filtering, you can also use Sender ID, Intelligent Message Filter and Connection Filtering to protect the server which are included in Exchange
2003 SP2. For more information, please refer to the link below:
http://technet.microsoft.com/en-us/library/aa995992(EXCHG.65).aspx
If the spam still cannot be blocked, I’m afraid that you have to use some other software anti-spam solution. You may refer to the following article about the
software for server.
http://www.msexchange.org/software/Anti-Spam/
Thanks.
NovakPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 31st, 2011 4:12am