Scan Outgoing Mails for Spam

By ReMad
in Smart Home, Network & Security

 Share

Recommended Posts

Mentor

ReMad

Posted
Posted

Hello

I am Facing some problem with Exchange 2003 being listed sometimes on some Spam checking sites even the Network is secured with Fortinet + Symantec Antiviruses

the Problem is that Fortinet scanns coming mails but not the out mails for spam

the Server is the only one can access the Smtp

is there any free tools or tools with good price to scan the outgoing mails and solve that issue ?

Thank You

Link to comment
https://www.neowin.net/forum/topic/873020-scan-outgoing-mails-for-spam/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Its rare that a client infection actually uses it email client to send email.. Off the top of the head I can not think of one that does this.. Normally a client infection will send attempt to directly send email, it doesn't go through the email client on the box to send the mail. This is too easy to track!!

I find it highly unlikely that your clients being infected and sending email through your exchange server is the problem to be honest. But if thats the case I would hope that your goal would be to clean the infected machines vs scanning for outgoing spam.

To be honest is more likely that your server is an open relay than your clients being infected - and thats how its getting placed on spam lists. Or if you server is sharing an IP with clients - then sure you IP could be listed due to a clients infection.

Could you explain a bit more about this statement

"the Server is the only one can access the Smtp"

How does email work in your setup.. So your client talk to your server to send mail, the server sends it directly to the other domains, or do you forward your mail to a isp smtp server? So which IP is getting blocked and what mail list?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

put a sniffer on your network between your internet gateway and your switch where it connects. find out everything that is communicating on port 25 and monitor the blacklist sites to see when it happened last. don't have them take you off until you have verified where the spam is coming from. pretty easy to determine if you have an exchange server and someone else is sending on port 25 (no one should be other than the exchange server). I would consider GFI's mail essentials or a barracuda spam firewall at your next renewal date and dump your current spam solution (I would go with the barracuda hardware appliance vs a piece of software that you have to load on another device or on your exchange server).

Enthusiast

MrTwister

Posted
Posted

Hello

I am Facing some problem with Exchange 2003 being listed sometimes on some Spam checking sites even the Network is secured with Fortinet + Symantec Antiviruses

the Problem is that Fortinet scanns coming mails but not the out mails for spam

the Server is the only one can access the Smtp

is there any free tools or tools with good price to scan the outgoing mails and solve that issue ?

Thank You

You should be able to contact the offending websites and get them to validate that the e-mail being sent is actually valid.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

So you want him to email the sites blacklisting him and tell them his not sending spam? So they will remove him from the blacklist.

The problem is -- maybe he is ;)

edit: let me reword that -- if he is blacklisted its not "maybe" he is -- it pretty freaking likely that spam is being sent from his IP. If it was not, then he would not be on a blacklist ;)

Enthusiast

MrTwister

Posted
Posted

So you want him to email the sites blacklisting him and tell them his not sending spam? So they will remove him from the blacklist.

The problem is -- maybe he is ;)

edit: let me reword that -- if he is blacklisted its not "maybe" he is -- it pretty freaking likely that spam is being sent from his IP. If it was not, then he would not be on a blacklist ;)

Yeah Mr. Know It All. It was just a suggestion. Which is why I suggested contacting the other ISP's.

Mentor

random_n

Posted
Posted

Exchange 2003 in the default config gets abused for NDR backscatter. Make sure you've turned on recipient filtering, filter recipients that aren't in the directory, and turn on tarpitting to prevent directory harvest attacks. Disabling attachments for NDRs is nice as well, but not as important once you aren't generating them for external recipients.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

"contacting the other ISP's. "

Again -- What?? :blink: Dude you seem not to have even the faintest idea on what the poster is even talking about.

So you suggest he contact the what hundreds, maybe 1000's of domains using said blacklist(s) And tell them to let his email in anyway even though its blacklisted for sending spam ;)

Mentor

ReMad

Posted
  • Author
Posted

Its rare that a client infection actually uses it email client to send email.. Off the top of the head I can not think of one that does this.. Normally a client infection will send attempt to directly send email, it doesn't go through the email client on the box to send the mail. This is too easy to track!!

I find it highly unlikely that your clients being infected and sending email through your exchange server is the problem to be honest. But if thats the case I would hope that your goal would be to clean the infected machines vs scanning for outgoing spam.

To be honest is more likely that your server is an open relay than your clients being infected - and thats how its getting placed on spam lists. Or if you server is sharing an IP with clients - then sure you IP could be listed due to a clients infection.

Could you explain a bit more about this statement

"the Server is the only one can access the Smtp"

How does email work in your setup.. So your client talk to your server to send mail, the server sends it directly to the other domains, or do you forward your mail to a isp smtp server? So which IP is getting blocked and what mail list?

Well , I contacted the Fortinet company and we checked the device

it needed some update and it does scan both incoming and outgoing mails and the filter is on and shouldnt send or receive any

I meant that the Port SMTP isnt allowed for the Clients

only the Mail server

and no , it is not an open relay

Today I found thousands of undelivered messages sent to ebay.org and some others ( Spam Chinese mostly :s ) from inbox of Administrator ( seems Backscatter ! )

some for long time and some for no known reason !

The Server is secured using GFI mail essentials + Symantec AV + Malwarebytes

All are updated and scanning gives no warnings !

What to do !?

Now listed on http://dnsbl.invaluement.com/ivmsip/ !

they dont reply to my emails !

what to do ?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

my vote is still the sniffer on the network to verify where the issue is coming from. The undeliverables could just be from another computer on your network trying to email out as administrator and you recieving the undeliverables in your administrator account.

Find out what computer is sending the spam and take care of it.

Internet router---------hub---------switch

....................................|

....................................|------computer with sniffer program scanning the traffic between your main switch and the internet

....................................=just placement since the neowin forum doesn't like spaces

Grand Master

+BudMan MVC

Posted
  • MVC
Posted (edited)

Backscatter -- you sure? Can you post up some example emails that are sitting in your admin box.

Your best bet to prevent backscatter is not send NDRs, and your exchange server should also be set to not accept any mail in the first place that is not to one of listed users.. So instead of accepting the mail and than not being able to deliver it - so you send a NDR. Give them a reject right at start.

So you disable NDRs and also turn on recipient filtering so that you only accept mail for valid email address in your domain any vs anything@yourdomain

This MS article goes over these filtering. But you can also disable sending NDRs all together. You might also want to look into using a blacklist of your own so you do not accept mail from spammers ;) And then you could prob turn NDRs back on.

http://support.microsoft.com/kb/909005

In Exchange Server 2003 or in Exchange 2000 Server, the Exchange Server queues are filled with many non-delivery reports from the postmaster account because of a reverse non-delivery report attack

NDRs does not always mean backscatter -- If I am using your exchange server as an open relay and feeding it mail to send, then sure lots of mail is not going to be deliverable. You need to verify the source of your issue before you can fix it. Just because you have mail in the admin box since does not mean its actually back scatter spam that is being used against you.

Apprentice

AstroCreep

Posted
Posted

We have a FortiGate as our firewall/NIS/VPN/main-connector solution, and we have it configured to only allow SMTP-out from one IP address on our network. That IP address would be our Exchange server.

We ended up needing to implement that after a situation similar to what you're experiencing.

Do you have any internal MX records? I know we had to set one up for our SharePoint server. Plus there could be other systems on your network that have an SMTP engine installed (it is a simple IIS compnent, after all); someone on your network could have an engine loaded which is relaying messages, which are hitting the gateway. Allowing SMTP from one address on the FortiGate would be a great start. Then run a domain-wide virus-sweep to find & neutralize the zombie.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft unveils new Surface Laptop with improved trackpad, Snapdragon X2, and more

      By Talys · Posted

      I am not a fan of haptic feedback touchpads. I've owned a Surface Laptop 7 (Snapdragon) with one and a Lenovo Slim (Intel), and I hated both to the point where I purchased different laptops. It's not that they don't work most of the time; it's that they don't work 100% of the time, and there is no advantage from a user's perspective over a good mechanical trackpad like what's on a ThinkPad X1 or a Yoga 9i. I do not believe that I'll buy another haptic feedback touchpad laptop again in the near future.
    • Classic 7 is Windows 10 LTSC cosplaying as Windows 7

      By eiffel_g · Posted

      Works fine here too. About this build, I don't like to download any kind of Windows, from any site except Microsoft. The mod might work, but I don't know what it's inside. Can contain malware, backdoors... Long time ago I've used something like this but reversed - it was 98se with the look and some functionality  of XP. Or, later XP with Vista look. But I made it myself. Not downloaded from obscure sites.
    • Microsoft will finally let you sign in to Edge with a Google account

      By sphbecker · Posted

      I didn't have this one on my bingo card.
    • Rockstar gives last-gen GTA V players free upgrades tomorrow

      By LoneWolfSL · Posted

      Rockstar gives last-gen GTA V players free upgrades tomorrow by Pulasthi Ariyasinghe Rockstar is preparing to launch Grand Theft Auto VI later this year, but ahead of that, the company has revealed a new offer for some Grand Theft Auto V owners. It today announced that Xbox One and PlayStation 4 version owners of the 2013-released title will soon be receiving a free upgrade to the current generation version. The studio released the Xbox Series X|S and PlayStation 5 version of Grand Theft Auto V back in 2022, bringing significant upgrades to the original console editions. This included 60 FPS gameplay at up to 4K resolution, as well as major upgrades to textures, draw distance, and audio. Faster load times, ray tracing elements, and HDR support were also added with it. While this new and enhanced version needed a new purchase of the game to jump in, now Rockstar has decided to make it a free upgrade, dropping the $40 price tag entirely on consoles. "Beginning tomorrow, those who own any PS4 version or the digital Xbox One version of Grand Theft Auto V will be able to upgrade to the PS5 or Xbox Series X|S versions at no additional cost, and experience the best versions of GTA V and GTA Online," said the company in an official blog post. The free upgrade offer will be released tomorrow, June 18, for all Xbox One and PlayStation 4 owners of Grand Theft Auto V. Players who will be jumping in on the offer will want to check how to migrate their GTA Online profile from last-generation to current-generation consoles by heading over here. The offer lands ahead of The Kortz Center Heist hitting Grand Theft Auto Online, where players and crews will be tasked with stealing priceless international art from a prestigious gallery in Pacific Bluffs. It doesn't look like Rockstar plans to stop updating its previous game even with Grand Theft Auto VI being on the horizon. The latest title is slated to launch on November 19, 2026, across Xbox Series X|S and PlayStation 5.
    • The 2TB Samsung 990 PRO NVMe SSD hits lowest price in over three months

      By +Sledge · Posted

      Now comes with a money back guarantee instead of a replacement! Hah

  • Recent Achievements

    • One Month Later
      Vincian earned a badge
      One Month Later
    • First Post
      Jocimo earned a badge
      First Post
    • Week One Done
      suprememobiles48 earned a badge
      Week One Done
    • One Month Later
      Windows Guy earned a badge
      One Month Later
    • One Month Later
      Prasann earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      511
    2. 2
      +Edouard
      172
    3. 3
      PsYcHoKiLLa
      89
    4. 4
      Steven P.
      76
    5. 5
      neufuse
      69
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!