Link to home
Start Free TrialLog in
Avatar of ggkelley
ggkelleyFlag for United States of America

asked on

Hijacked Exchange Account

I have relay disabled on our Exchange 2003 server, however i notice that my queues reflect a large number of messages from a user that does not exist on our system "postmaster@xyz.com". The mesages that are queued up are definitely spam and are pointed towards spam domains. I have checked our anti-virus and groupshield and everything is up to date. Any ideas
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image
postmaster@ is a valid address.
It is a built in address, usually associated with the administrator account.

Change THE domain administrator account.

It may also be an NDR attack. To clean up your queues, take a look at my web site:

http://www.amset.info/exchange/spam-cleanup.asp

Simon.
Avatar of vtsinc
vtsinc
This is normal.  If spam is sent to an invalid account on your system/domian, the server auto-generates a non-delivery report to the sender address.  Since it is spam the sender address is probably forged and itself invalid, so your queues start filling up with outbound messages from postmaster@yourdomain.com.

Unless there is a very extremely high volume in the queues I would not be too terribly concerned.  The NDR's themselves will timeout and br dropped from the queues based upon your retry policy.
Avatar of _ruudsje_
_ruudsje_
1. Check Relaying with http://www.abuse.net/relay.html 
2. It's possible that someone is logged into your SMTP Connector with a cracked or simple account like test/test or something like that OR software for relaying is installed on a client machine
-     Disable: Guest Account (if enabled)
-     Enable SMTP Transport Logging:
            1.     Start ESM
            2.     Right Click on Exchange servername
            3.     Click Tab Diagnostic Logging
            4.     Click MSExchange Transport
            5.     Click SMTP Protocol
            6.     Select Maximum
            7.     Restart SMTP virtual server
- Check Event Viewer for Event ID 1708 (if not, relaying is not the case)
--------------------------------------------------------------
EventID: 1708
=========
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Description: SMTP Authentication was performed successfully with client "materials". The authentication method was "LOGIN" and the username was "OURLOCALDOMAIN\Test".
-----------------------------------------------------------------
- Check the user's machine for relaying software
- Change password user (in this case user test)
- Don't forget to disable logging after this for better performance
Avatar of _ruudsje_
_ruudsje_
Additional:
Forget my answer above....haven't read well, check sembee's answer
Avatar of Sembee
Sembee
Flag of United Kingdom of Great Britain and Northern Ireland image
Just going through some of the old outstanding questions as it is quiet...

Has this problem been resolved?
If you need clarification on any part of the responses above, please post back.

Otherwise you need to close the question by awarding points, or posting in the Support Topic Area (top right corner) with a link to this question asking for the moderators to close the question for you without awarding points.

Simon.
ASKER CERTIFIED SOLUTION
Avatar of DarthMod
DarthMod
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial