Exchange 2010 sends out spam

exchange-2010

I have an Exchange Server 2010, that uses a smart host to send out mails. A day ago the owner of smart host contact us and told us that we send out spam.

I have try different open relay test on the net and all of them come back saying that this server is secured and can not be used as relay server. But I can see in my Exchange Queue Viewer that it keeps coming in new messages. Here is an example of how it looks.

Identity: mailserver\3874\13128
Subject: Olevererbart:: helladian@xxx.xxx Pfizer -75% now
Internet Message ID: <7388a3e0-7171-408d-ab24-806725beffb1@xxx.xxx>
From Address: <>
Status: Ready
Size (KB): 6
Message Source Name: DSN
Source IP: 255.255.255.255
SCL: -1
Date Received: 2010-12-09 21:46:22
Expiration Time: 2010-12-11 21:46:22
Last Error: 
Queue ID: mailserver\3874
Recipients:  urinee6024@proxad.net

How can I secure our exchange server more, to stop this from happening?

Could I have got an virus that hooks up to our exchange server and send mail throw that?

As I can see the From Address is always <>, is there someway that I can stop sending mails that don't have a from address that I describe?

Pleas help

Best Answer

Since you already tried the open relay tests from the internet, that means it's a computer on the internal network sending spam. It's most likely a compromised machine with a virus on it, so that needs addressing as a matter of urgency as well.

It sounds to me like you have a Receive Connector which is set up to allow open relaying from inside the network (which is why the external tests didn't pick it up).

The message tracking logs should tell you what Receive Connector the mails are being received through, so you'll need to look at the properties of that Receive Connector and make them more restrictive. Use the command Get-MessageTrackingLog -MessageId "<<Spam Message ID>>" |ft MessageId, ConnectorId in the Exchange Management Shell to give you the Receive Connector it's going through.

My guess is your receive connector is set to accept mail from the whole of your internal network (for example 10.1.1.1 to 10.255.255.255) rather than specific IP addresses that need to send unauthenticated email.

Standard practice is to leave the Receive Connector that was created when you installed Exchange as it is and create a new Receive Connector (for example "Allow Anonymous Relay") with the following settings.

  • On the Network tab, Listen on all available IP addresses on port 25
  • On the Network tab, Add any IP addresses which need to send unauthenticated mail (printers, web servers, monitoring software etc)
  • On the Authentication tab, untick everything except Externally Secured (for example, with IPSec)
  • On the Permission Groups tab, untick everything except Exchange Servers

Edit: Sorry! On the very last line I said untick everything except Anynymous users - I really meant untick everything except Exchange Servers. My bad :'(

Related Topic