You need to restrict which boxes are allowed to talk SMTP to your SMTP relays. Should only be your exchange servers and a few other boxes, as needed.
It’s worth packet-sniffing the SNMP traffic to these boxes (which will identify the spambots if they’re talking SMTP). You need to find at least one infected box and see exactly what it is doing. Cheers, Phil -- Phil Randal Infrastructure Engineer Hoople Ltd | Thorn Office Centre | Hereford HR2 6JT Tel: 01432 260415 | Email: phil.ran...@hoopleltd.co.uk From: Sharp, Kevin [mailto:kevin.sh...@usask.ca] Sent: 24 February 2012 23:38 To: MS-Exchange Admin Issues Subject: RE: internal spam The accounts have been compromised…usually via a phishing attempt. So the entire process of the internal attack is with a valid authenticated acct. We have our SMTP services set to be authenticated…the problem is looking for a process that we can use to identify potential accounts that are sending volumes of email and hopefully stop it before the pile of email gets too large. Usually the attack sends thousands of email to valid and nonvalid email addresses…which of course we don’t notice until the pile of invalid email starts to pile up. I know..it is comical ☺. User education has helped, but like any good phishing attack, it only takes one bite to cause this problem. Thanks Kevin From: Mike Tavares [mailto:miketava...@comcast.net]<mailto:[mailto:miketava...@comcast.net]> Sent: Friday, February 24, 2012 4:26 PM To: MS-Exchange Admin Issues Subject: Re: internal spam 1 question just to clear up some confusion on my part. Are the actual accounts in question compromised? (as in someone has direct access to the mailboxes on your server?) or just compromised in the since that some spammer/hacker on the outside is spoofing an email address from your company that is a legit address? From: Sharp, Kevin<mailto:kevin.sh...@usask.ca> Sent: Friday, February 24, 2012 12:19 PM To: MS-Exchange Admin Issues<mailto:exchangelist@lyris.sunbelt-software.com> Subject: internal spam I’m wondering how people are dealing with compromised accounts in Exchange sending large volumes of email…essentially an internal spam attack. Occasionally a phishing attempt will make it past our spam software, and of course the odd unsuspecting user ends up with a compromised account which makes a connection to the mail system via either a compromised PC or external connection. We notice this when the email starts piling up, and action can be taken then..but I’m wondering if there is some software or method that might have some more smarts. We’ve had numerous incidents but so far….not an easy way to distinguish a potential spam attack until after it happens, and the email starts piling up in the retry queue. I’ve looked at throttling policies and some of the transport filtering, not sure if that will help us much. What are others doing? Thanks Kevin Sharp --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe exchangelist “Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Hoople Ltd. You should be aware that Hoople Ltd. monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe exchangelist