Need help in SPAM forwarding through SMTP

[Sar-Had-Pawar]

I just wanted to share that I have gone through some articles for blocking open SMTP relaying and cleaning up Exchange Server SMTP queues in the Windows Small Business Server and The problem that I am facing is that I am getting "SMTP Server Remote Queue Length Alert on SERVER" message from the Windows Small Business Server periodically, I have tried clearing out the SMTP queues but then I don’t know why massive array of queues are just repapering, it appears as if some Sonicwall device is just sitting between the Exchange and the WWW, I am not able to try out the telnet tests as well to check out if the open relaying is occurring when the telnet gets blocked, I have tried following the steps in the above article for blocking open relays and I had done it successfully as well but then it did not appeared to be making any difference in my case, is there anyone who can help me out with some troubleshooting?? I really want to solve it out somehow and I am running out of ideas by now, I have tried out all the possible solution that I could have but the I have not been able to fix it out, so any help regarding the same will be highly appreciated.

[Jhonny.Bravo]

I am not very sure but then it is appearing as if the device on your LAN is spewing spam somehow or there are possibilities that a user account might have compromised because of which they are performing authenticated relay, if you want then you can try out resetting all the user passwords and see if it is making any difference in your case or not. I also wanted to know that are you able to lock down your port 25 so as to receive the email from the some specific internet service providers??? Just check out these things and then let me know the response that you are getting for them for further help.

[Sar-Had-Pawar]

I really don’t think that device on my LAN is spewing spam as I have found Everything to be coming up clearly through the SEP, I have ran Malwarebytes last night as well but then it did not found anything. Other than this I have also tried resetting all the user passwords but even they did not helped, I did not understood what you meant by “I also wanted to know that are you able to lock down your port 25 so as to receive the email from the some specific internet service providers???” I really don’t have any idea about the same so can you help me out in restricting SMTP for receiving e-mail from some specific internet service providers like you have said? I just wanted to know if I am having a an authenticated relay issue then will it be affecting the process?? Will it be affecting the other users who are accessing exchange through RPC/HTTPS, are you aware of these things???

[Jhonny.Bravo]

In that case I will like to inform you that the RPC/HTTPS won’t be getting affected and as far as the SMTP filtering is concerned I will like to explain you with example suppose if your email is routed to a different server first and then you will block other IP connecting to port 25 for receiving leaving the message lab servers then it wont be stopping any relay except the ones from the trusted servers, the connection control is basically carried out on the default smtp virtual server, so if you wont be using any service like message lab then you wont be able to try this thing out, I also wanted to add that for some of the clients who might be having secondary MX as an ISP SMTP Server and if we block the Port 25 for some specific internet service providers then the delivery of the Email will be attempted to our Port 25 and it will be getting failed and after that it will be re routed to the ISP who will later forward to you, I know you might have got a bit confused as the process is quite messy but then trust me it works, just wanted to know that have you been running ISA on the same box?? Hope what I have said is cleared to you, if you have any about the same then feel free to ask I will try out explaining the same in simpler way.

[Sar-Had-Pawar]

Yes I think I got it, in my case the emails arrives directly to the server (SBS2003) as there is a web hosting company which is having the domain and WWW presence, I have not yet used ISA on the same box, I know that the Blocking IP's can work but then I will have to specify a range in that case right?? I also wanted to share that only authenticated users are relaying through the server, actually one guy had left the company but the I had made sure that I am disabling his account ad I had left other things as it was, so now if any one send a email to his address then it gets forwarded to the replacement's address that he had but then I don’t know why the replacement user was getting spam from the emails that gets sent to his original address, even after disabling the account from the active directory. Later after deleting the old user's messages this issue was solved and the replacement was not receiving spam any more for that moment but then it has started again. I don’t understand that how can a account receive messages even when the account is disabled, what do you think about the same?? I have tried following the suggested changes but then I don’t know why they are not helping, is there any setting on the Outbound Security' section of the SMTP virtual server properties, do you have any idea about it??

[Jhonny.Bravo]

Your issue is really weird I really don’t know what to suggest now, I will suggest you to ask all the users to change password and check out of the issue is getting solved or not, you should also check out the security log on the server when the spam appears, if that is not helping then you can just got through the below article and try out the solution that has been mentioned there and see if it is helping.
How to block open SMTP relaying and clean up Exchange Server SMTP queues in Windows Small Business Server
The above article is having better detailed steps so just try it out and make sure that you are not skipping any steps. Best of luck.