How to monitor Exchange server for outgoing SPAM?

LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
I am running a single exchange server 2003 on Enterprise 64bit and I am constantly getting a poor reputation with senderbase.org/IronPort. I am starting to think that we may have some spam activity going on but I am not sure. I don't filter outgoing mail so I am wondering if MS has some kind of tool/program that I can use to monitor my outgoing mail to determine if I am possibly sending spam. My exchange server looks to be ok as if it is not sending out anything it is not but who is to say that the spam is originating from this server and not somewhere else. Anyone got an idea on how to tackle this kind of a problem when trying to narrow down possible outgoing SPAM issues?

Comments

  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    These two links can probably help you:
    http://msexchangeteam.com/archive/2008/02/07/448082.aspx

    In the future when/if you move to Exchange 2007, this would help you:
    http://msexchangeteam.com/archive/2007/11/12/447515.aspx

    Typically I check to make sure messsage transport logs and smtp logs are on. I then take the SMTP transport logs and do a text import into excel and it'll allow you to organize the data so it'll go into columns.

    You can also mirror all your data onto one of your switch ports (using a managed switch) and use a network monitoring program that only captures 25 to see where all that mail is coming from. Or if you believe spam is being generated on the inside, you can disable outbound mail and see all the outbound mail from a specific someone start queuing up a bunch.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    Oh wow... great ideas! Thanks for the info. I think that this will help me alot.

    If anyone else has some cool troubleshooting ideas post em up! Don't be shy... :P
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    LOkrasa wrote:
    I am running a single exchange server 2003 on Enterprise 64bit...

    Sure about that? That's not supported.

    http://support.microsoft.com/kb/555468

    Also, be sure you block outbound SMTP traffic on port 25 from all internal IP addresses except for your outbound mail server(s) on your firewall(s), or ensure whatever mail servers send email out to the internet NAT to a different public IP address than what your clients NAT to when they access the internet.
    Good luck to all!
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    Is the Internet MX for your domain really your server or is it your ISP's mail relay? maybe that could be affecting your reputation as well.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    mmm, SPF records...
    Good luck to all!
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    HeroPsycho wrote:
    LOkrasa wrote:
    I am running a single exchange server 2003 on Enterprise 64bit...

    Sure about that? That's not supported.

    http://support.microsoft.com/kb/555468

    Also, be sure you block outbound SMTP traffic on port 25 from all internal IP addresses except for your outbound mail server(s) on your firewall(s), or ensure whatever mail servers send email out to the internet NAT to a different public IP address than what your clients NAT to when they access the internet.

    Sorry the server has a 64bit processor but the OS is 32. So Exchange on Enterprise 32 bit....

    blargoe wrote:
    Is the Internet MX for your domain really your server or is it your ISP's mail relay? maybe that could be affecting your reputation as well.
    Dont relay mail. MX record matches up.
    HeroPsycho wrote:
    mmm, SPF records...
    My domain hosting co. does not setup SPF records for some reason... whack isn't it?
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    LOkrasa wrote:
    My domain hosting co. does not setup SPF records for some reason... whack isn't it?

    Let me guess...

    Network Solutions.
    Good luck to all!
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    HeroPsycho wrote:
    LOkrasa wrote:
    My domain hosting co. does not setup SPF records for some reason... whack isn't it?

    Let me guess...

    Network Solutions.
    LMAO! Yes it is!
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    Good luck to all!
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    HeroPsycho wrote:
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    Yeah thats what I think will need to happen next... we need to have a SPF record to improve our reputation.
  • blargoeblargoe Self-Described Huguenot NC, USAMember Posts: 4,174 ■■■■■■■■■□
    HeroPsycho wrote:
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    I concur, this was one of the first things I did when I started working at my current company.

    If you want to have any _SRV records for the fancy new Microsoft Exchange and Communications Server stuff that may need it, Network Solutions doesn't support that either.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    blargoe wrote:
    HeroPsycho wrote:
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    I concur, this was one of the first things I did when I started working at my current company.

    If you want to have any _SRV records for the fancy new Microsoft Exchange and Communications Server stuff that may need it, Network Solutions doesn't support that either.

    So I guess that I am not the only one that uses them... my old boss chose this route but I clearly see that it wasn't the best choice. Thanks for the info.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    LOkrasa wrote:
    So I guess that I am not the only one that uses them... my old boss chose this route but I clearly see that it wasn't the best choice. Thanks for the info.

    NetSol was THE hosting provider and registrar back in the day to go with, the so called "no one ever got fired for choosing" choice for DNS. Because of that, they've sat on their proverbial laurels, and haven't bothered to keep up with the times, and their customers are starting to leave because of it.

    Your boss probably chose them because back in the day, they were good. Now? Not so much... icon_lol.gif
    Good luck to all!
  • LOkrasaLOkrasa Member Posts: 343 ■■■□□□□□□□
    Would anyone be able to recommend a good DNS hosting company? 1and1?
  • yaktamyaktam Member Posts: 1 ■□□□□□□□□□
    Your own ISP is usually a logical choice for DNS hosting. Unless your company shuffles between cities a lot, it makes a lot of sense. And you'll usually get at least 1 domain hosted for free, since you're already using their high speed Internet connection.

    As for finding out where your spamming culprit is, I've personally turned a workstation into a local syslog server (Kiwi syslog daemon is free and GREAT!), pointed the firewall to **** its syslogs there and then read them with Kiwi Syslog viewer. Look for lots of SMTP traffic from an internal ip address OTHER than your exchange server. Works every time. Then take that workstation out back and have a few words with it (and the user who downloaded and installed the trojan/rootkit/smtp engine) :)

    Let us know how it goes.
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    GoDaddy...

    DynDNS...

    There are lots of pretty good ones out there...
    Good luck to all!
  • jbaellojbaello Member Posts: 1,191 ■■■□□□□□□□
    royal wrote:
    These two links can probably help you:
    http://msexchangeteam.com/archive/2008/02/07/448082.aspx

    In the future when/if you move to Exchange 2007, this would help you:
    http://msexchangeteam.com/archive/2007/11/12/447515.aspx

    Typically I check to make sure messsage transport logs and smtp logs are on. I then take the SMTP transport logs and do a text import into excel and it'll allow you to organize the data so it'll go into columns.

    You can also mirror all your data onto one of your switch ports (using a managed switch) and use a network monitoring program that only captures 25 to see where all that mail is coming from. Or if you believe spam is being generated on the inside, you can disable outbound mail and see all the outbound mail from a specific someone start queuing up a bunch.

    Royal I nominate your Avatar as Avatar of the year!!! icon_lol.gif
Sign In or Register to comment.