How to monitor Exchange server for outgoing SPAM?

I am running a single exchange server 2003 on Enterprise 64bit and I am constantly getting a poor reputation with senderbase.org/IronPort. I am starting to think that we may have some spam activity going on but I am not sure. I don't filter outgoing mail so I am wondering if MS has some kind of tool/program that I can use to monitor my outgoing mail to determine if I am possibly sending spam. My exchange server looks to be ok as if it is not sending out anything it is not but who is to say that the spam is originating from this server and not somewhere else. Anyone got an idea on how to tackle this kind of a problem when trying to narrow down possible outgoing SPAM issues?

Find more posts tagged with

Comments

royal

These two links can probably help you:
http://msexchangeteam.com/archive/2008/02/07/448082.aspx

In the future when/if you move to Exchange 2007, this would help you:
http://msexchangeteam.com/archive/2007/11/12/447515.aspx

Typically I check to make sure messsage transport logs and smtp logs are on. I then take the SMTP transport logs and do a text import into excel and it'll allow you to organize the data so it'll go into columns.

You can also mirror all your data onto one of your switch ports (using a managed switch) and use a network monitoring program that only captures 25 to see where all that mail is coming from. Or if you believe spam is being generated on the inside, you can disable outbound mail and see all the outbound mail from a specific someone start queuing up a bunch.

LOkrasa

Oh wow... great ideas! Thanks for the info. I think that this will help me alot.

If anyone else has some cool troubleshooting ideas post em up! Don't be shy... :P

HeroPsycho

LOkrasa wrote:

I am running a single exchange server 2003 on Enterprise 64bit...

Sure about that? That's not supported.

http://support.microsoft.com/kb/555468

Also, be sure you block outbound SMTP traffic on port 25 from all internal IP addresses except for your outbound mail server(s) on your firewall(s), or ensure whatever mail servers send email out to the internet NAT to a different public IP address than what your clients NAT to when they access the internet.

blargoe

Is the Internet MX for your domain really your server or is it your ISP's mail relay? maybe that could be affecting your reputation as well.

HeroPsycho

mmm, SPF records...

LOkrasa

HeroPsycho wrote:

LOkrasa wrote:

I am running a single exchange server 2003 on Enterprise 64bit...

Sure about that? That's not supported.

http://support.microsoft.com/kb/555468

Also, be sure you block outbound SMTP traffic on port 25 from all internal IP addresses except for your outbound mail server(s) on your firewall(s), or ensure whatever mail servers send email out to the internet NAT to a different public IP address than what your clients NAT to when they access the internet.

Sorry the server has a 64bit processor but the OS is 32. So Exchange on Enterprise 32 bit....

blargoe wrote:

Is the Internet MX for your domain really your server or is it your ISP's mail relay? maybe that could be affecting your reputation as well.

Dont relay mail. MX record matches up.

HeroPsycho wrote:

mmm, SPF records...

My domain hosting co. does not setup SPF records for some reason... whack isn't it?

HeroPsycho

LOkrasa wrote:

My domain hosting co. does not setup SPF records for some reason... whack isn't it?

Let me guess...

Network Solutions.

LOkrasa

HeroPsycho wrote:

LOkrasa wrote:

My domain hosting co. does not setup SPF records for some reason... whack isn't it?

Let me guess...

Network Solutions.

LMAO! Yes it is!

HeroPsycho

Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.

LOkrasa

HeroPsycho wrote:

Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.

Yeah thats what I think will need to happen next... we need to have a SPF record to improve our reputation.

blargoe

HeroPsycho wrote:

Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.

I concur, this was one of the first things I did when I started working at my current company.

If you want to have any _SRV records for the fancy new Microsoft Exchange and Communications Server stuff that may need it, Network Solutions doesn't support that either.

LOkrasa

blargoe wrote:

HeroPsycho wrote:

Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.

I concur, this was one of the first things I did when I started working at my current company.

If you want to have any _SRV records for the fancy new Microsoft Exchange and Communications Server stuff that may need it, Network Solutions doesn't support that either.

So I guess that I am not the only one that uses them... my old boss chose this route but I clearly see that it wasn't the best choice. Thanks for the info.

HeroPsycho

LOkrasa wrote:

So I guess that I am not the only one that uses them... my old boss chose this route but I clearly see that it wasn't the best choice. Thanks for the info.

NetSol was THE hosting provider and registrar back in the day to go with, the so called "no one ever got fired for choosing" choice for DNS. Because of that, they've sat on their proverbial laurels, and haven't bothered to keep up with the times, and their customers are starting to leave because of it.

Your boss probably chose them because back in the day, they were good. Now? Not so much...

LOkrasa

Would anyone be able to recommend a good DNS hosting company? 1and1?

yaktam

Your own ISP is usually a logical choice for DNS hosting. Unless your company shuffles between cities a lot, it makes a lot of sense. And you'll usually get at least 1 domain hosted for free, since you're already using their high speed Internet connection.

As for finding out where your spamming culprit is, I've personally turned a workstation into a local syslog server (Kiwi syslog daemon is free and GREAT!), pointed the firewall to **** its syslogs there and then read them with Kiwi Syslog viewer. Look for lots of SMTP traffic from an internal ip address OTHER than your exchange server. Works every time. Then take that workstation out back and have a few words with it (and the user who downloaded and installed the trojan/rootkit/smtp engine)

Let us know how it goes.

HeroPsycho

GoDaddy...

DynDNS...

There are lots of pretty good ones out there...

jbaello

royal wrote:

These two links can probably help you:
http://msexchangeteam.com/archive/2008/02/07/448082.aspx

In the future when/if you move to Exchange 2007, this would help you:
http://msexchangeteam.com/archive/2007/11/12/447515.aspx

Typically I check to make sure messsage transport logs and smtp logs are on. I then take the SMTP transport logs and do a text import into excel and it'll allow you to organize the data so it'll go into columns.

You can also mirror all your data onto one of your switch ports (using a managed switch) and use a network monitoring program that only captures 25 to see where all that mail is coming from. Or if you believe spam is being generated on the inside, you can disable outbound mail and see all the outbound mail from a specific someone start queuing up a bunch.

Royal I nominate your Avatar as Avatar of the year!!!