Clear outgoing spam problems on your Exchange 2003 server / network

Today I had to sort out a client’s mail server after BT disconnected them from all broadband access. Their server had sent out 108 000 spam e-mails, and the mail queues were full, trying to send more.

They had to contact BT, and ask them to re-connect their broadband service, so that I could remotely login and take a look into the issue.

First thing I did once I got access was disable their SMTP Service. To do this, right-click My Computer, go to “Manage” expand “Services and Applications” Double click on Services, and scroll down to Simple Mail Transport Protocol Service. Right-click it, and select Stop. This will halt all outgoing mail.

From this point, I logged into the router (Which happened to be a Netgear DG834), and checked the firewall logs. I could see tons of SMTP connections from external IP address, first of all I thought let me just secure the firewall – this hadn’t been done on this particular router.

I went to the Firewall settings, and made some rules as follows :
Outbound traffic:
Allow SMTP(25) for single IP address on the internal LAN (192.168.16.2) – this is the IP of the mail server.
Dissallow SMTP(25) for all IP addresses on internal LAN. (The above rule for the server overrides this).

I did a test before enabling these rules by using telnet to test outgoing SMTP connections from a few client PCs on the network first.

From command prompt, type : telnet anymailserver.com 25 (replace anymailserver.com with a mail server address such as mail.google.com). I could make a connection using this before the rule was in place, after the rule was enabled I could not, so this firewall rule was working well to block SMTP traffic from any PCs on the network that we didn’t want to be able to send mail. This by the way, was in case one or more of the PCs had picked up a mass mailing worm that was sending spam directly from the PC. A telnet test from the mail server still worked, as I had explicity allowed SMTP traffic from it’s IP address. So that was the Internal network locked down. You can see if you get a successful telnet on port 25 if the command prompt goes blank, or gives you a mail server welcome message. (See the image below). If you don’t get a connection, the attempt will time out, and say it didn’t manage to connect after a few seconds.

telnet25

Another thing to do at this point, would be to ensure the Anti virus is up to date on all PCs and the server, and scan them to ensure they are all clean.

Next up was the Exchange configuration – I checked that relay access was restricted only to the Mail server itself.

Open Exchange System Manager by going to Start menu – Programs, Exchange, Exchange System Manager.

Expand Servers, select your mail server name (In this case it is SBS2003), expand protocols, expand SMTP, and right click on the Default SMTP Virtual Server icon, then select Properties. (See image below)

Exchange System Manager

Once the properties sheet is open, click on the “Access” tab, then click on the “Relay” button.

Ensure that only localhost (127.0.0.1) – the server itself, and the Server’s IP address internally are in the list. So in this case 127.0.0.1 and 192.168.16.2 are in the list, with the option “Only the computers below” selected. Then untick the check box below that list (Allow all computers which successfully authenticate to relay, regardless of the list above). This makes sure that only the server can relay mail. Obviously the situation depends on how your network is setup, so as long as you don’t have other mail servers connecting to this exchange server then you should be safe un-ticking this option. See image below :

relay_access1

Click Ok, and then Ok once again. Open My computer, and browse to your exchange server’s queue folder. This is usually in C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue

You would probably have thousands of files in here, so re-name the Queue folder to Queue_old or something like that, and create a new folder called “Queue” in it’s place. This will ensure a clear queue for when we re-enable the SMTP service.

Now go to your Services again, and Start the SMTP service, by right-clicking Simple Mail Transport Protocol, and clicking the Start option.

If all goes well, your queues should stay clear of any bad mail, and your network should be able to send mail again.

8 Comments

  1. Thanks so much for this. I was having a similar problem as I cannot find out wahat process wass creating the spam. The server was moved to a new location, with the cables never plugged in to the network or the internet, and yet, the spam was still being vreated in the queue, but I didn’t know where to find it. Your article allowed me to see that location.

    i stopped the SMTP servic and the spam stopped.

    Started SMTP and nothing (hmmm??)

    Rebooted with smtp starting automatically and the spam began creating again.

    @ antivirus (AVG and Bitdefender) find nothing
    Malwarebytes also finds nothing

    Server came back up and nothing appears in Queue

    Thanks!!!!!!!!!!!!!!!!!

    Don’t know why it works, but…..

  2. Very helpful and much appreciated. Tore my hair out with this one last night, your method worked perfectly for my case. Thank you.

  3. Haha excellent Bob! Well sometimes those free apps don’t really help. I have found a little free app called SuperAntiSpyware that seems to do an excellent job of removing viruses/spyware and malware. Give it a try next time. Otherwise I am glad your exchange queues are all clear now 🙂

  4. Good advice but I’ve already followed this step with one slight difference. In your step about configuring exchange relay permissions you have the IP address with a subnet mask of 255.255.255.0 – won’t this allow the whole subnet to relay through the exchange server?

    I’ve configured our exchange server with 127.0.0.1 and the LAN IP with a 255.255.255.255 subnet – Mail seems to be flowing. We’re still getting a few thousand spam messages going through the exchange server and clogging up the queues however 🙁

    /me pulls hair out.

  5. Hi Steve,

    You are quite right with the mask of 255.255.255.255 – this should lock it down to only allow localhost (127.0.0.1) if you used that subnet mask. Have you run full virus scans on the exchange server and other network machines? I would check with a variety of scanning tools just to be sure. My personal favourite of late is superantispyware (free edition). This seems to always sort our virus issues for me. It has even surpassed some enterprise products in the past in my experience. Also make sure your router / firewalls are locked down nicely just in case.

  6. Just some FYI, We found that under the relay settings, once you uncheck the computer box, the user button becomes enabled. If you look there you might find Auth Users listed. We had to remove this to stop the spam.

    We then found the computer causing the problem. Keep in mind these settings can cause scanners that send email to stop working if you don’t allow them.

  7. Our email server is affcted by spam sending problem. From last few days our mail server is blacklisted and impacting our business, our mails are considered as spam from our busiess partner servers.
    I did everything suggested in the article above but when I tried blocking the port 25 for everyone except mail server the outgoing mails queued up.
    We are using fortigate firewall. Please help.
    when I check the firewall log
    1 2013-02-24 01:44:21 alert 183.159.68.19 192.168.2.228 web_server: HTTP.Malicious.Request.Double.Slash [Reference: http://www.fortinet.com/ids/ID14228%5D http://www.fortinet.com/ids/ID14228
    2 2013-02-23 10:52:32 alert 79.154.104.155 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    3 2013-02-23 10:41:50 alert 37.106.117.36 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    4 2013-02-23 10:35:48 alert 87.222.99.49 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    5 2013-02-23 10:32:18 alert 188.78.235.141 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    6 2013-02-23 10:31:45 alert 190.107.124.75 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    7 2013-02-23 10:31:37 alert 190.107.124.75 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    8 2013-02-23 08:58:23 alert 186.134.39.221 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341
    9 2013-02-23 08:51:52 alert 186.11.37.121 192.168.2.208 email: MS.Outlook.Source.Email.Address.Spoofing.SMTP [Reference: http://www.fortinet.com/ids/ID102498341%5D http://www.fortinet.com/ids/ID102498341

    there are lot more. Please help to resolve.

    Thanks in advance,
    Irene

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.