We help IT Professionals succeed at work.

User not in Active Directory Logging in and creating SPAM

apbaguy
apbaguy asked
on
179 Views
Last Modified: 2013-12-04
I have a Windows 2000 SBS running Exchange 2000.  It was an open relay, which I closed, however now it seems to be being used as a relay again.  I have traced it to a user logging in using the login "WEB".  No username (pre 2000 or otherwise) has this name, Guest is disabled, the IIS default accounts and Terminal Server Accounts are all disabled.  How can I disable this account and prevent this from happening further?

Thanks in advance for your help!
Comment
Watch Question

Commented:
Just disable all relaying, this shouldnt affect your real users at all. ANd will disable anyone at all from relaying (make sure to uncheck the box that allows authenticated users to relay mail)

Also make sure to kill his connection through the Server/Protocols location

Isi

Author

Commented:
I had tried unchecking the authenticated relay box.  It seems to have prevented mail from being delivered (??), but didn't stop the WEB user from authenticating to SMTP.

But that still doesn't answer how to disable this user named "WEB"
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
hmm...  Not sure how you will find 'Web' but you can ck to see if open relaying is still on by telneting into your Ex Server:

Open a Command Prompt window
At the Command Prompt, type Telnet
You will now be presented with the Telnet prompt, type OPEN 25

If you get an Unable to relay" it is telling you that you have a “Closed” Relay.

We will work on that rouge user next...

FE
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Here is MS's take on this...  also some info regarding tracking down the offending User...

http://support.microsoft.com/default.aspx?scid=kb;EN-US;324958
CERTIFIED EXPERT

Commented:
anytime you have a user you didn't put there is time to start thinking you've a serious security breach...if you've shut off relaying and then it starts again mysteriously...that's a clue to me that someone has a backdoor to your system and is getting in and modifying things...

i'd say disconnect the machine from the network and get busy with some intrusion detection


http://www.zdnet.com.au/insight/toolkit/security/intrusion/0,39023908,20275013,00.htm
CERTIFIED EXPERT

Commented:
doh...rather Don't disconnect...that won't aid in detection...and you don't know if any other machines are compromised..disconnecting without knowing the source could be a bad idea..
Systems Engineer
Top Expert 2005
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Fatal_ExceptionSystems Engineer
Top Expert 2005

Commented:
Thks
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.