Exchange Sending Spam!

[The Donut]

Hey,

Today at work we got a call from our spam filter provider and was informed that in the past hour 100,000 emails had gone out about call girls from our Exchange server.

I've checked the longs and sure enough, it's true however I can't trace this thing at all - no virus scan picks anything up, adware, malware, etc...

Any ideas?

 

[`danny]

Is it NDR spam ie are the spam messages contained within bounce messages? If so turn off your bounce messages for the time being.

 

[Keiichi]

It's an open relay, tighten up who it accepts emails from.

 

[The Donut]

It's a phishing spam mail that it's sending out.. below is a line from our exchange log.. there are 102,000 of these..

10/28/2008 11:16:1 GMT OURIPNUMBER User - OURSERVERNAME 192.168.1.5 [email protected] 1019 [email protected] 1 0 6117 20 2008-10-28 11:15:48 GMT 0 Version: 6.0.3790.3959 - Receipt for Your Payment to Live Strip Chat Camera Sexy Girls [email protected] -

 

[ND40oz]

http://support.microsoft.com/kb/324958

Here's how to block relaying in SBS, it's pretty much the same in standard and enterprise 2003.

 

[`danny]

Sorry to thread-jack but is open relaying enabled by default on exchange 2003?

 

[ND40oz]

Sorry to thread-jack but is open relaying enabled by default on exchange 2003?

It only allows authenticated users by default.

 

[YeOldeStonecat]

I go another step further...SMTP virtual server properties, access tab, relay button, and uncheck "allow any host which authenticates to relay". This way, no weak password attempt to crack it can be made.

Is this Exchange box receiving mail directly from the internet? Or..via an SMTP smart host? I try to avoid having Exchange receive directly like the plague....I always try to flip clients to an SMTP smart host...and have ACLs on the Exchange box only allowing incoming mail from the smart hosts IP range(s)...period!