Ouch. I was up until 3:30am last night because I noticed my Exchange 2003 server was sending a ton of messages. I noticed this because I was trying to diagnose another, unrelated, problem and happened to look in the outbound Queue in Exchange System Manager. My SMTP connector showed several hundred queued outgoing messages. Given that I have about 6 users on my Exchange server and none of them send more than 2 or 3 messages a day…
I panicked. How could my SMTP server be acting as a relay for spam? It was totally locked down:
- It only allowed anonymous connections.
- Only one PC on my LAN could relay through it (my home automation server).
- I do not have “Allow all computers which successfully authenticat to relay, regardless of the list above” checked.
- I have security auditing on and SMTP diagnostics logging on.
- I am careful to ensure that all accounts (domain and local machine) have strong passwords and Guest is disabled everywhere.
What I saw was hundreds of messages in the Find Message functionality in the Queues thing in ESM with a sender address of email@example.com. The recipients were the typical “recpients” of spam. Unfortunately the Find Message functionality does not allow you to view the contents of the outgoing message; if it had, I would not have been up until 3:30am and would not have spent 3 additional hours today trying to figure this out.
When I looked at my SMTP logs, I saw that someone was sending these messages through my SMTP service, but the logs had blank entries for the IP address! This freaked me out, because I thought that the only way that could have happened was for some agent to be on my server! I ran anti-virus checks, SpyBot Search And Destroy, and looked for obvious rogue processes. Nothing.
I had several guys from the Exchange team look at my settings. They assured me that my SMTP server was configured correctly.
We ran Network Monitor (netmon) to see what the actually SMTP traffic looked like. This provided the clue that finally gave us the answer: the recipients I was seeing in the messages queued to go out matched the senders of spam that was incoming to my system. For those incomming messages the recipients were bogus aliases on my domain (e.g. firstname.lastname@example.org).
All those queued messages were NDR (Non Delivery Report) messages; basically saying “hey, this user (email@example.com) doesn’t exist. They weren’t outgoing spam at all!
So, my system hasn’t been compromised, but I don’t like the fact that I’m generating thousands of emails a day! My ISP might think I am a spammer.
To fix this I enabled “Filter recipients who are not in the Directory” in the Recipient Filtering tab of the Message Delivery object (under Global Settings in ESM).
This causes Exchange to reject any incomming message that is destined for an unknown user.
The only downside of this is that I can see is that messages where people accidentially spell a real alias incorrectly (e.g. firstname.lastname@example.org) will not get a NDR. Small price to pay I think.
I’ve also now installed Exchange 2003 SP1 and the Intelligent Message Filter which will reduce the amount of spam I get, which is tons.