Is your Exchange 2003 server generating spam?

Ouch. I was up until 3:30am last night because I noticed my Exchange 2003 server was sending a ton of messages. I noticed this because I was trying to diagnose another, unrelated, problem and happened to look in the outbound Queue in Exchange System Manager. My SMTP connector showed several hundred queued outgoing messages. Given that I have about 6 users on my Exchange server and none of them send more than 2 or 3 messages a day…

I panicked. How could my SMTP server be acting as a relay for spam? It was totally locked down:

  • It only allowed anonymous connections.
  • Only one PC on my LAN could relay through it (my home automation server).
  • I do not have “Allow all computers which successfully authenticat to relay, regardless of the list above” checked.
  • I have security auditing on and SMTP diagnostics logging on.
  • I am careful to ensure that all accounts (domain and local machine) have strong passwords and Guest is disabled everywhere.

What I saw was hundreds of messages in the Find Message functionality in the Queues thing in ESM with a sender address of postmaster@kindel.com. The recipients were the typical “recpients” of spam. Unfortunately the Find Message functionality does not allow you to view the contents of the outgoing message; if it had, I would not have been up until 3:30am and would not have spent 3 additional hours today trying to figure this out.

When I looked at my SMTP logs, I saw that someone was sending these messages through my SMTP service, but the logs had blank entries for the IP address! This freaked me out, because I thought that the only way that could have happened was for some agent to be on my server! I ran anti-virus checks, SpyBot Search And Destroy, and looked for obvious rogue processes. Nothing.

I had several guys from the Exchange team look at my settings. They assured me that my SMTP server was configured correctly.

We ran Network Monitor (netmon) to see what the actually SMTP traffic looked like. This provided the clue that finally gave us the answer: the recipients I was seeing in the messages queued to go out matched the senders of spam that was incoming to my system. For those incomming messages the recipients were bogus aliases on my domain (e.g. fred@kindel.com).

All those queued messages were NDR (Non Delivery Report) messages; basically saying “hey, this user (fred@kindel.com) doesn’t exist. They weren’t outgoing spam at all!

So, my system hasn’t been compromised, but I don’t like the fact that I’m generating thousands of emails a day! My ISP might think I am a spammer.

To fix this I enabled “Filter recipients who are not in the Directory” in the Recipient Filtering tab of the Message Delivery object (under Global Settings in ESM).

This causes Exchange to reject any incomming message that is destined for an unknown user.

The only downside of this is that I can see is that messages where people accidentially spell a real alias incorrectly (e.g. chalrie@kindel.com) will not get a NDR. Small price to pay I think.

I’ve also now installed Exchange 2003 SP1 and the Intelligent Message Filter which will reduce the amount of spam I get, which is tons.

 

© Charlie Kindel. All Rights Reserved.

12 comments


  1. Hi

    What you have descriped here, is what is happening to my Exchange 2000 server, how (if I can) do the same using Exchange 2000 (SP3) ?

    Cheers

    Wayne Taylor

  2. http://

    I do not believe this technique will work on Ex 2000.

  3. http://

    > The only downside of this is that I can see is

    > that messages where people accidentially spell

    > real alias incorrectly (e.g. chalrie@kindel.com)

    > will not get a NDR. Small price to pay I think.

    People that send Email to invalid recipients at your domain will still get what you call an "NDR". The Email they send will pass to their outgoing mail server which will connect to your mail server. When your mail server rejects the message coming from the sender’s outgoing mail server, then sender’s outgoing mail server will generate a rejection notice ("NDR") and send it back to the proginal sender.

  4. http://

    Question? Why is your system sending that many NDR’s? Because it’s receives lots of mails send to bogus users in your domain? So, maybe your system is not comprimised, but under attack?

  5. http://

    Guys,

    One of my colleagues has the same problem. In one day the data store grew from a few MB to 3 GB !!!

    Some spammers might use a huge list with user names that are glued to you domain name. If you send millions of combinations <a name>@<your domain>, there is a chance that a few hundred mails arrive. When the user opens the mail, the spammer might be informed that the recipient’s address is valid. Of course for mails send to unknown recipients (and there are many to fill up 3GB, that’s why I’m thinking of an attack) Exchange generates NDRs.

    Most probably the spammer uses a fake domain name in it’s reply address. That is why NDR’s are stuck in the Exchange outbound queues. This should be cleaned up automatically after 2 days.

    The recipient filtering solution will prevent that Exchange sends back NDRs for this kind of issues, but this doesn’t solve the spam issue !!!

    Best solution is to use a 3rd party anti-spam gateway like e.g. TrendMicro’s IMSS to prevent spam entering the network…

  6. http://

    I’m following up on the exact same issue with an associate. We have Exchnage 2003, and about a week ago, a large number of remote users, and a few local users were getting the "Outllok is trying to contact Exchange server", and upon checking exchange, everything appeared as normail, but i had 70 or 80 messages in about 30 to 40 of my outbound queues, all from postmaster@mydomain.com

  7. http://

    See Microsoft KB 886208.

  8. http://

    Thank you Richard for posting the KB article #.. I had an Exchange Server 2003 environment sending out 11,000 NDR’s for UCE’s an hour. That is exactly what was needed, the situtation is completely corrected now.

  9. http://

    You wont believe : The same is happening to me but I have done all of this and it is still doing the same.As soon as you start your smtp connector the administrator(postmaster) sends out thousands of emails.I have SBS 2003 with the latest patches , service packs and Trend Micro the latest Server Protect and scanmail.Scanned for worms etc.Phoned Trend , IS and Microsoft

  10. http://

    We front end our Exchange 2003 server with an ASSP spam filter server that will do Active Directory lookups to find valid email accounts and perform the UCE rejection. A key benefit to this is that the incoming email does not cross your WAN connection before the email is refused. Undeliverable SPAM accounts for 84% of our email! It is nice not to be paying for all that traffic.

  11. how do you turn off NDR reports in exchange 2000?? i know how to in Exchange 2003..thank you.. please reply to: jon@pacificcomputergroup.com

  12. http://

    to disable ndr, uncheck "system message" in your connector property – content restrictions panel. all exchange "self made" messages (like nnr, ndr) are "system" message and will not be send by SMTP connector.

Leave a Reply

Your email address will not be published. Required fields are marked *