+ Reply to Thread
Results 1 to 18 of 18
  1. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #1

    Default How to monitor Exchange server for outgoing SPAM?

    I am running a single exchange server 2003 on Enterprise 64bit and I am constantly getting a poor reputation with senderbase.org/IronPort. I am starting to think that we may have some spam activity going on but I am not sure. I don't filter outgoing mail so I am wondering if MS has some kind of tool/program that I can use to monitor my outgoing mail to determine if I am possibly sending spam. My exchange server looks to be ok as if it is not sending out anything it is not but who is to say that the spam is originating from this server and not somewhere else. Anyone got an idea on how to tackle this kind of a problem when trying to narrow down possible outgoing SPAM issues?
    Reply With Quote Quote  

  2. SS -->
  3. New Member royal's Avatar
    Join Date
    Jul 2006
    Location
    Chicago, IL
    Posts
    3,373
    #2
    These two links can probably help you:
    http://msexchangeteam.com/archive/20...07/448082.aspx

    In the future when/if you move to Exchange 2007, this would help you:
    http://msexchangeteam.com/archive/20...12/447515.aspx

    Typically I check to make sure messsage transport logs and smtp logs are on. I then take the SMTP transport logs and do a text import into excel and it'll allow you to organize the data so it'll go into columns.

    You can also mirror all your data onto one of your switch ports (using a managed switch) and use a network monitoring program that only captures 25 to see where all that mail is coming from. Or if you believe spam is being generated on the inside, you can disable outbound mail and see all the outbound mail from a specific someone start queuing up a bunch.
    Reply With Quote Quote  

  4. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #3
    Oh wow... great ideas! Thanks for the info. I think that this will help me alot.

    If anyone else has some cool troubleshooting ideas post em up! Don't be shy... :P
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #4

    Default Re: How to monitor Exchange server for outgoing SPAM?

    Quote Originally Posted by LOkrasa
    I am running a single exchange server 2003 on Enterprise 64bit...
    Sure about that? That's not supported.

    http://support.microsoft.com/kb/555468

    Also, be sure you block outbound SMTP traffic on port 25 from all internal IP addresses except for your outbound mail server(s) on your firewall(s), or ensure whatever mail servers send email out to the internet NAT to a different public IP address than what your clients NAT to when they access the internet.
    Reply With Quote Quote  

  6. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,099

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #5
    Is the Internet MX for your domain really your server or is it your ISP's mail relay? maybe that could be affecting your reputation as well.
    IT guy since 12/00

    Recent: 10/27/2017 - Passed Microsoft 70-410 (one exam left for MCSA 2012)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), MCSA 2016 upgrade, more Linux
    Thinking about: VCP6-CMA, AWS Solution Architect (Associate), Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #6
    mmm, SPF records...
    Reply With Quote Quote  

  8. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #7

    Default Re: How to monitor Exchange server for outgoing SPAM?

    Quote Originally Posted by HeroPsycho
    Quote Originally Posted by LOkrasa
    I am running a single exchange server 2003 on Enterprise 64bit...
    Sure about that? That's not supported.

    http://support.microsoft.com/kb/555468

    Also, be sure you block outbound SMTP traffic on port 25 from all internal IP addresses except for your outbound mail server(s) on your firewall(s), or ensure whatever mail servers send email out to the internet NAT to a different public IP address than what your clients NAT to when they access the internet.
    Sorry the server has a 64bit processor but the OS is 32. So Exchange on Enterprise 32 bit....


    Quote Originally Posted by blargoe
    Is the Internet MX for your domain really your server or is it your ISP's mail relay? maybe that could be affecting your reputation as well.
    Dont relay mail. MX record matches up.

    Quote Originally Posted by HeroPsycho
    mmm, SPF records...
    My domain hosting co. does not setup SPF records for some reason... whack isn't it?
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #8

    Default Re: How to monitor Exchange server for outgoing SPAM?

    Quote Originally Posted by LOkrasa
    My domain hosting co. does not setup SPF records for some reason... whack isn't it?
    Let me guess...

    Network Solutions.
    Reply With Quote Quote  

  10. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #9

    Default Re: How to monitor Exchange server for outgoing SPAM?

    Quote Originally Posted by HeroPsycho
    Quote Originally Posted by LOkrasa
    My domain hosting co. does not setup SPF records for some reason... whack isn't it?
    Let me guess...

    Network Solutions.
    LMAO! Yes it is!
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #10
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    Reply With Quote Quote  

  12. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #11
    Quote Originally Posted by HeroPsycho
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    Yeah thats what I think will need to happen next... we need to have a SPF record to improve our reputation.
    Reply With Quote Quote  

  13. Self-Described Huguenot blargoe's Avatar
    Join Date
    Nov 2005
    Location
    NC
    Posts
    4,099

    Certifications
    VCAP5-DCA; VCP 3/4/5/6 (DCV); EMCSA:CLARiiON; Linux+; MCSE:M 2000/2003; MCSE:S 2000/2003; MCTS:Exch2007; Security+; A+; CCNA (expired)
    #12
    Quote Originally Posted by HeroPsycho
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    I concur, this was one of the first things I did when I started working at my current company.

    If you want to have any _SRV records for the fancy new Microsoft Exchange and Communications Server stuff that may need it, Network Solutions doesn't support that either.
    IT guy since 12/00

    Recent: 10/27/2017 - Passed Microsoft 70-410 (one exam left for MCSA 2012)
    Working on: MCSA 2012 upgrade from 2003 (to heck with 2008!!), MCSA 2016 upgrade, more Linux
    Thinking about: VCP6-CMA, AWS Solution Architect (Associate), Python, VCAP6-DCD (for completing VCIX)
    Reply With Quote Quote  

  14. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #13
    Quote Originally Posted by blargoe
    Quote Originally Posted by HeroPsycho
    Keep them as your registrar, and switch DNS hosting companies. Tons of good ones out there that support SPF.
    I concur, this was one of the first things I did when I started working at my current company.

    If you want to have any _SRV records for the fancy new Microsoft Exchange and Communications Server stuff that may need it, Network Solutions doesn't support that either.
    So I guess that I am not the only one that uses them... my old boss chose this route but I clearly see that it wasn't the best choice. Thanks for the info.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #14
    Quote Originally Posted by LOkrasa
    So I guess that I am not the only one that uses them... my old boss chose this route but I clearly see that it wasn't the best choice. Thanks for the info.
    NetSol was THE hosting provider and registrar back in the day to go with, the so called "no one ever got fired for choosing" choice for DNS. Because of that, they've sat on their proverbial laurels, and haven't bothered to keep up with the times, and their customers are starting to leave because of it.

    Your boss probably chose them because back in the day, they were good. Now? Not so much...
    Reply With Quote Quote  

  16. Senior Member LOkrasa's Avatar
    Join Date
    Mar 2006
    Location
    Gaithersburg, MD
    Posts
    343

    Certifications
    CCNA, CCNA:S, CCNP:RS
    #15
    Would anyone be able to recommend a good DNS hosting company? 1and1?
    Reply With Quote Quote  

  17. Junior Member
    Join Date
    Aug 2008
    Posts
    1
    #16
    Your own ISP is usually a logical choice for DNS hosting. Unless your company shuffles between cities a lot, it makes a lot of sense. And you'll usually get at least 1 domain hosted for free, since you're already using their high speed Internet connection.

    As for finding out where your spamming culprit is, I've personally turned a workstation into a local syslog server (Kiwi syslog daemon is free and GREAT!), pointed the firewall to dump its syslogs there and then read them with Kiwi Syslog viewer. Look for lots of SMTP traffic from an internal ip address OTHER than your exchange server. Works every time. Then take that workstation out back and have a few words with it (and the user who downloaded and installed the trojan/rootkit/smtp engine)

    Let us know how it goes.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    Jan 2008
    Posts
    1,941

    Certifications
    MCITP: EA, EMA; MCSE 2000/2003: M; MCSE 2000: S; MCSA 2000/2003: S; MCTS: ISA 2006; VCP3/4
    #17
    GoDaddy...

    DynDNS...

    There are lots of pretty good ones out there...
    Reply With Quote Quote  

  19. Senior Member
    Join Date
    Jul 2007
    Posts
    1,198
    #18
    Quote Originally Posted by royal
    These two links can probably help you:
    http://msexchangeteam.com/archive/20...07/448082.aspx

    In the future when/if you move to Exchange 2007, this would help you:
    http://msexchangeteam.com/archive/20...12/447515.aspx

    Typically I check to make sure messsage transport logs and smtp logs are on. I then take the SMTP transport logs and do a text import into excel and it'll allow you to organize the data so it'll go into columns.

    You can also mirror all your data onto one of your switch ports (using a managed switch) and use a network monitoring program that only captures 25 to see where all that mail is coming from. Or if you believe spam is being generated on the inside, you can disable outbound mail and see all the outbound mail from a specific someone start queuing up a bunch.
    Royal I nominate your Avatar as Avatar of the year!!!
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks