Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here


Exchange 2007 Server sending spam

Exchange 2007 Server sending spam

Exchange 2007 Server sending spam

Exchange 2007 Server is sending spam. I have tried to isolate where the issue is, but cannot figure it out.

Small personal exchange 2007 server with just 4 users on it. Sends/Recieves email for 2 domains.
Xeams for spam filtering, and my VPS for outbound mail.

So mail flow looks as such: Incoming mail -> Xeams -> Exchange 2007 -> VPS (postfix) -> World

Postfix is configured to ONLY relay from the exchange server's IP. (while I still have the issue I simply told postfix to not accept relays from my exchange - which is good because I can watch the reject log for postfix to see it's still happening).

Exchange server ONLY used with Outlook and OWA and Outlook Anywhere. No POP/IMAP/SMTP (except to receive)

I tested "relay status" from tools online and it does not report to be an open relay.

In the exchange log I enabled I get many entries such as this:

CODE -->

0,,,*,,attempting to connect
2,,,<,220 PcComputerGuy.com ESMTP Postfix (Debian/GNU),
3,,,>,EHLO mail.joessite.com,
6,,,<,250-SIZE 10240000,
12,,,<,250 DSN,
14,,,<,220 2.0.0 Ready to start TLS,
15,,,*,,Sending certificate
16,,,*,"CN=mail.joessite.com, C=US",Certificate subject
17,,,*,"CN=joessite-PCCG-EXCHANGE-CA, DC=joessite, DC=com",Certificate issuer name
18,,,*,13BC2D5E000000000002,Certificate serial number
19,,,*,84C575999AF962054EE8B5604043EBC38A661081,Certificate thumbprint
20,,,*,mail.joessite.com;autodiscover.joessite.com,Certificate alternate names
21,,,*,,Received certificate
22,,,*,3259082035820582058280 (cert stuff),Certificate thumbprint
23,,,>,EHLO mail.joessite.com,
26,,,<,250-SIZE 10240000,
28,,,<,250-AUTH PLAIN LOGIN,
31,,,<,250 DSN,
32,,,*,4614,sending message
33,,,>,MAIL FROM:<> SIZE=12850,
34,,,>,RCPT TO:<GNCGiftforFeedback@value054.approverewardcard.rocks>,
35,,,<,250 2.1.0 Ok,
36,,,<,554 5.7.1 <GNCGiftforFeedback@value054.approverewardcard.rocks>,
38,,,<,221 2.0.0 Bye,

How can I lock the server down so only the 4 users in the domain can send mail and no-one else?

Thank you! Dying here having to constantly stop and start postfix but googling isn't getting me what I need.

RE: Exchange 2007 Server sending spam

P.S. That is from my exchange send-log.

RE: Exchange 2007 Server sending spam

The send log shows your server sending the mail out. We need to determine how it got the mail in the first place. I would run message tracking and see how that message was initially submitted. I would assume that current rules allow authenticated SMTP senders to connect from anywhere, right? Can you lock down port 25 on your firewall to only accept inbound from Veams? My guess is either of two things:

1. The password on one of those accounts is compromised and a remote sender is authenticating with SMTP and sending the mail, since relay works if authenticated.
2. A MAPI client is compromised and the messages are being submitted through a connected client running Outlook.

Tracking logs will help, since it will show you which IP initiated the connection that handed the spam to the server.

Dave Shackelford

RE: Exchange 2007 Server sending spam

Thank you for the reply. I am trying to learn how to generate tracking reports. In the meantime, I did find that spam seems to be coming from email address <> (blank)

Example: 2015-01-24T15:22:54.522Z,Outbound,08D2059320C485A5,33,,xx.xx.xx.xx,>,MAIL FROM:<> SIZE=18173,

How can we stop exchange from permitting "<>" as a valid "Sender and instead insist that to send it authenticate with existing users?

RE: Exchange 2007 Server sending spam

I think I've solved the issue, monitoring then will report back after a few hours.

RE: Exchange 2007 Server sending spam

So for anyone else whom might be having the issue, I discovered this:
The problem was unknownJoe@tomwhatever.com would send an email to my server, to an unknown address.. say roger@noonehere.com. They would specify the "reply-to" then to go to the actual spam target. So my server would "bounce" the message as "NDR" (not deliverable), but it seems it would go to the "reply to" address, thereby getting the spam out through our server. At least this is what I think is going on as a non-Email Admin.
I went into the spam filtering and created a rule - when Return-Path contains <> (blank) drop the message. This seemed to stop the spam hitting my linux relay.
In postfix there is a way to say "Check for valid recipient, and if none exists, reject the message" without even getting to the filtering process. I don't know of (or think) there is a way to do this with Exchange 2007 which would be great as it would solve the issue before it even got into the server.

Hope this helps someone in the future.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!


Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close