Spam and exchange

riff_man79

Hi

Im working in a small business and we are having a problem with outgoing spam. Our isp has called us and told us there is alot of spam being sent out from our company. I have some computer and network experience but need some direction here.

There are 2 servers, the normal server and the exchange server. I ran a netstat on exchange server and got back about 7 pages of information. At the end its has a lot of outgoing smtp to our isp smtp server with LAST_ACK at hte end. Alot of other conections to URLs that i don't recognise.

Whats my best course of action here to resolve this problem

Cheers in advance

CraggyIslander

sounds like your exchange server is configured as an open smtp relay. Dont know the version of windows / exchange etc but the below article has useful info to disable the function:

http://www.microsoft.com/technet/security/prodtech/exchangeserver/excrelay.mspx

riff_man79

Thanks
however our exchange server is already set up like your article dictates. Any other ideas?

CraggyIslander

It may be zombified pc's on your network that are generating the spam. Check your firewall to see where the smtp connections are coming from internally and if needed tweak the rules so that only the exchange server is allowed on port 25.

PS This will only work if the zombies are not using your exchange as a relay.

What version of windows / exchange are you running?

merkuree

You may also want to:

- run anti-malware programs against each PC to determine whether they have been infected with anything nefarious. (spybot, windows defender, adaware....there are many apps out there to help, your choice depends on personal experience.....but other folks out there can chime in with alternatives.)

- ensure that you have anti-virus enabled on all PCs and up-to-date definition files.

- ensure that your machines are patched.

- consider enabling or installing a software firewall on PCs, especially laptops which travel and connect to broadband or other connections.

- create an 'IT equipment usage' policy for your employees. Some folks do not yet realize that leaving an exposed machine on a broadband connection overnight is asking for trouble. Plus it can have legal consequences for your company if your machines then subsequently infects client machines or a clients network.

Not sure as to the nature of your business, but if your employees use their machines on client networks or at client sites, the last thing you want is those machines passing infection or malware along.

Hope that helps you move in the right direction.

FusionNet

I agree with the guys. This is a serious issue, ISP's do not contact people unless its a fairly serious issue. I dont think this is something you should take on yourself. You havent mentioned if you use a server based antivirus? More than likely one of your machines is generating the mail through a virus or trojan its ingested. If you can afford it I would strongly recommend an IT audit. If this was happening you without your knowledge who knows what else might be wrong. If you have confidential files or customer information stored on your PC's or servers its your duty to protect it, neglecting to do so could cost heavily. Im not sure where your based but In know one or two people that are very good at this and will travel, there not connected to my business but are very good at network security. PM me or contact me directly if I can help you in any other way.

seamus

If you are using integrated Outlook and Exchange (as opposed to a POP/SMTP) setup, then restrict SMTP relay rights from inside the network. Set up your firewall to only allow SMTP outgoing from your exchange server and set up your exchange server to refuse ALL SMTP connections except from machines who really, really need it (web servers and the like).
If you're using integrated Outlook and Exchange then none of the users' machines need SMTP access.