Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How to determine how mail entered the queue

3 views
Skip to first unread message

Freaky

unread,
Jan 25, 2008, 9:48:37 AM1/25/08
to
Hey there,

an exchange server at one of our customers is sending loads of spam.
It's not a relay (only for local subnet). Have the smtp logging enabled,
and checked that, but it doesn't appear to come in through SMTP, as only
see it trying to get out there.

So it probably came in through outlook/mapi and thus probably is some
internal machine with an infection. Now there are quite a few machines,
so I'd like to find out from what machine/ip the mail entered the queue.

Anyone got some clues for me?

TIA

Kind regards

Rene Frenger

unread,
Jan 25, 2008, 10:02:00 AM1/25/08
to
You could stop the smtp-service for 10 minuten to see what's queing up.
Also run the Troubleshooting Assistent and do a performance check to look
for mapi-sessions.
--
Regards,

Rene Frenger
MCITP E2K7
MCP EX5.5, 2000, 2003
MCSE

Freaky

unread,
Jan 25, 2008, 10:50:18 AM1/25/08
to
No need, it's not going out. Think there's a new exploit. Really like
some help on this... :)

Found this in the logging, appearantly it is coming from outside! Server
is running exchange 2003, SP2, microsoftupdate reports it's up2date.

# Date Time client-ip Client-hostname Partner-Name Server-hostname
server-IP Recipient-Address Event-ID MSGID Priority
Recipient-Report-Status total-bytes Number-Recipients
Origination-Time Encryption service-Version Linked-MSGID
Message-Subject Sender-Address
24-01-08 22:19:2 GMT 75.26.56.198 User isp.smarthost.com FS-2003-01
172.31.1.1 dmcu...@dmdesignintl.com 1031
FS-2003-01yfy...@ourdomain.tld 3 0 1373 50 2008-1-24
22:18:37 GMT 0 Version: 6.0.3790.3959 - - online....@myisland.com -
24-01-08 22:19:2 GMT 75.26.56.198 User isp.smarthost.com FS-2003-01
172.31.1.1 dmd...@intekom.co.za 1031
FS-2003-01yfy...@ourdomain.tld 3 0 1373 50 2008-1-24
22:18:37 GMT 0 Version: 6.0.3790.3959 - - online....@myisland.com -
24-01-08 22:19:2 GMT 75.26.56.198 User isp.smarthost.com FS-2003-01
172.31.1.1 dme...@sandiego.edu 1031
FS-2003-01yfy...@ourdomain.tld 3 0 1373 50 2008-1-24
22:18:37 GMT 0 Version: 6.0.3790.3959 - - online....@myisland.com -
24-01-08 22:19:2 GMT 75.26.56.198 User isp.smarthost.com FS-2003-01
172.31.1.1 dmel...@tampabay.rr.com 1031
FS-2003-01yfy...@ourdomain.tld 3 0 1373 50 2008-1-24
22:18:37 GMT 0 Version: 6.0.3790.3959 - - online....@myisland.com -
24-01-08 22:19:2 GMT 75.26.56.198 User isp.smarthost.com FS-2003-01
172.31.1.1 dme...@belmont.cc.oh.us 1031
FS-2003-01yfy...@ourdomain.tld 3 0 1373 50 2008-1-24
22:18:37 GMT 0 Version: 6.0.3790.3959 - - online....@myisland.com -
24-01-08 22:19:2 GMT 75.26.56.198 User isp.smarthost.com FS-2003-01
172.31.1.1 dmcwi...@ymcamidtn.org 1031
FS-2003-01yfy...@ourdomain.tld 3 0 1373 50 2008-1-24
22:18:37 GMT 0 Version: 6.0.3790.3959 - - online....@myisland.com -

These lines are there with our smarthost and without. There really are
tons of them.

Tried sending mail through our smarthost (which is setup) with telnet.
Like so

telnet smarthost 25
helo testdomaint.ld
mail from: m...@mail.com
rcpt to: m...@mail.com
data
Subject: test
test
.

This sends out fine.

The error that was reported in the queue was something in the lines of
'event sink error'. For now I've frozen all the mail in the queue from
the online....@myisland.com address. Mail seems to go out fine
now... Not really familiar with exchange's internals. Could it be
possible that the SMTP service was borked by an exploit, and got
restarted or whatever by freezing the mail and/or looking at the
connectors properties? Find 'event sink error' a very strange error for
the SMTP. On other cases we were blocked by the ISP due to being on a
RBL or something the error was pretty clear to us.

Please advise.

Kind regards

Freaky

unread,
Jan 25, 2008, 10:55:33 AM1/25/08
to
Can this cause event sink errors?

2008-01-25 02:00:09 82.204.126.20 SMTPSVC1 FS-2003-01 - - -
220+smarthost+ESMTP+Postfix 0 0 34 0 15 SMTP - -
2008-01-25 02:00:09 82.204.126.20 SMTPSVC1 FS-2003-01 - EHLO -
ourdomain.com 0 0 4 0 15 SMTP - -
2008-01-25 02:00:09 82.204.126.20 SMTPSVC1 FS-2003-01 - - -
250-smarthost 0 0 20 0 15 SMTP - -
2008-01-25 02:00:09 82.204.126.20 SMTPSVC1 FS-2003-01 - MAIL -
FROM:<online....@myisland.com>+SIZE=1700 0 0 4 0 15 SMTP - -
2008-01-25 02:00:09 82.204.126.20 SMTPSVC1 FS-2003-01 - - - 250+Ok 0 0 6
0 31 SMTP - -
2008-01-25 02:00:09 82.204.126.20 SMTPSVC1 FS-2003-01 - RCPT -
TO:<jg...@kkltfm.com> 0 0 4 0 31 SMTP - -
2008-01-25 02:00:13 82.204.126.20 SMTPSVC1 FS-2003-01 - - -
450+<jg...@kkltfm.com>:+Recipient+address+rejected:+Domain+not+found 0 0
68 0 3546 SMTP - -
2008-01-25 02:00:13 82.204.126.20 SMTPSVC1 FS-2003-01 - RSET - - 0 0 4 0
3546 SMTP - -
2008-01-25 02:00:13 82.204.126.20 SMTPSVC1 FS-2003-01 - - - 250+Ok 0 0 6
0 3546 SMTP - -
2008-01-25 02:00:13 82.204.126.20 SMTPSVC1 FS-2003-01 - QUIT - - 0 0 4 0
3546 SMTP - -
2008-01-25 02:00:13 82.204.126.20 SMTPSVC1 FS-2003-01 - - - 221+Bye 0 0
7 0 3562 SMTP - -

0 new messages