Exchange - Spam sending internally

[tekgrl]

Hello,

I am currently having a problem with exchange on a 2000 server. I have mail being generated and trying to be sent externally. I have scanned all the computers on the network for viruses and nothing has come up. Relay is not available and this has been tested. Can anyone help?

 

[manarth]

check the email headers to find out which IP address is sending the email - this should identify the culprit system.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[DougP]

I have Exchange 5.5 same pblem
Headers are totaly blank
messages are about Viagra though all most all them some 7000 of them.

DougP, MCP

 

[Zugdud]

Are you guys still having this problem? This weekend our 5.5 exchange server was used for a 6000+ message viagra spam, aside from those 6000 viagra spams I also had about 14,000 inbound failure attempts from administrator I guess from failed relay attempts. Here are the sources in some of the spam headers:

Received: from smtp0147.mail.yahoo.com (200.90.107.233 [200.90.107.233]) by rpsserver.factorycat.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
Received: from smtp0281.mail.yahoo.com (200.90.107.233 [200.90.107.233]) by
Received: from smtp0422.mail.yahoo.com (ip69-189.cbn.net.id [202.158.69.189])
Received: from smtp0562.mail.yahoo.com (200.90.107.233 [200.90.107.233]) by
Received: from assam (211.158.85.163 [211.158.85.163]) by r
Received: from smtp0311.mail.yahoo.com (ip69-189.cbn.net.id [202.158.69.189])
Received: from smtp0147.mail.yahoo.com (200.90.107.233 [200.90.107.233]) by
Received: from smtp0632.mail.yahoo.com (ip69-189.cbn.net.id [202.158.69.189])
Received: from bonus (211.158.45.122 [211.158.45.122]) by
Received: from tad (218.70.146.217 [218.70.146.217]) by
Received: from hunters (211.158.80.78 [211.158.80.78]) by
Received: from exchequer (211.158.81.52 [211.158.81.52]) by
Received: from crankcase (211.158.82.171 [211.158.82.171]) by
Received: from merest (211.158.84.41 [211.158.84.41]) by
Received: from adrift (218.70.147.76 [218.70.147.76]) by

I have inbound relaying allowed because mail is relayed from our isp to our internal mail server. On routing restrctions I have &quot;authencated users only&quot; and &quot;from these ip addresses&quot; checked.

If I telnet to port 25 on the mail server i cant relay, i get a 550. I have also gone to a few websites that have comprehensive relay tests and I was protected against them all. Im not sure what else to try, the spam is orginiating from outside the network.

 

[tekgrl]

As per my problem dated 7th August, we have fixed the problem. We were using Nortons for Exchange and desktop scanners as well. We found that there were settings in the exchange scanning tool which were set to scan the same things as the desktop scan. Because of this they were crossing each other out and scanning nothing at all. We then had to install latest upgrades of virus software, halt the exchange queues and scan each network pc seperately. Hope this helps.

 

[Bod29]

Zugdud,

Did you find a solution for yours too ??

I'm in the same boat, but using Symantec AV Corp Edition, I tried the add-on for Mail which scanned the mailboxes on the network, but I still have sh*tloads of stuff appearing in the outbound SMTP queues....

Hope you can help !!! I'm stuffed for a fix at the mo :-(

cheers
Roddy

Life's too short

 

[bompasoft]

Last week I had about 3,000 inbound failure attempts to found password for these account: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc.
This is a log example:
***********************************************************
1/09/2003 17:39:29 Security Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM MLSRV &quot;Logon Failure:
Reason: Unknown user name or bad password
User Name: master
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: MLSRV &quot;
**********************************************************
At least the password for 'backup' was found and used to send about 7,000 spam mail.
I have disabled the backup account and the problem was solved but now we are in some IP blacklist!
The attack is coming from 218.70.xxx.xxx and 211.158.xxx.xxx and i have set this address in my firewall as deny.

>Luca>

 

[Bod29]

I think that's what was dodgy at my end too, I found a &quot;test&quot; account with no password.... doh I must have forgotton to delete it.

I also unchecked the &quot;allow authenticated users to relay...&quot; in the access tab of SMTP properties, which should remove that possibility even if an account was guessed. I've put in a strong password policy across the domain now too, which should keep the hackers at bay for a bit.

BOMPA...
I was going to look at examining logs for security access, how do you turn them on ??

cheers
Roddy

Life's too short