Exchange 2003 tracing spam origin, so frustrating

Question

I have been trying to sort out this one server for over a week. It had backscatter problems due to low security settings on the Exchange. I followed a few guides to disable the NDR issues, changed all the passwords, removed old users and kept an eye out on the message tracking centre.

The message tracking shows legitimate emails and some normal spam, but no more delivery failure to random emails. I have delisted from the spam engines twice now and after 24 hours its back on the spam list. In the logs I can see somebody failing logon now and then, some relay message attempts but message tracking is not showing any messages being sent, at all.

One issue is the the ISP is taking its sweet time to set the set the rDNS, but it used to work without it before. We send everything out using DNS and I am on the last straw before I move over to remote hosted, slow POP

Is there anything at all that can help me understand what is going on. The blacklists are vague and some show offending emails, that occurred 3 weeks ago..

Answer 1

I used a passive network, "throwing" star network tap between the switch and the internet router, together with

This is a cool thing thing, but I didn't have time to wait and order it.

So I used something like this.

And then ran wire shark while sniffing outgoing packets to SMTP only. I found the culprit to be a computer on the network with some virus. So the exchange was clean. Problem solved.

The star network tap is read-only, man in the middle sniffer. You need two interfaces if you want to capture in coming and outgoing, but I was only interested in outgoing traffic.

• Victim - Internet router
• Attacker - A cheap laptop with Windows 7, WinPCAP and Wireshark using on-board LAN
• To netowrk - The business switch (Sadly unmanaged)

• The throwing star PCB downgrades Gigabit networks to 100mb gracefully. Making your own wiretap only works on 10/100mb