Redirects, unauthorized bounces, etc...

OK, my Exchange server is running Exchange 2k with all updates and patches THAT I AM AWARE OF.  My 20003 Server is running the built-in flavor of exchange to handle three mailboxes on there.  I received the following e-mail from Road Runner:

The Road Runner Abuse Control Department has received a complaint of network abuse originating from a computer connected to your cable modem.  We recognize that most Internet abuse complaints are the result of computers infected with viruses/worms or compromised by a trojan horse(a.k.a. "trojan" for short).  Trojans allow malicious third parties to gain access to your system(s) for the purpose of using your Internet connection to intentionally commit the abuse in question.  The abuse commonly comes in the form of either unsolicited email (a.k.a. "spam") or port scanning (connection attempts to other systems across the Internet for the purpose of finding vulnerable systems to infect or exploit).  However, if not addressed in a timely manner, your machine(s) potentially may be used for other more illegal activities
 
A portion of the complaint we have received is copied below for your review:
 
_________________________________________________________________
 
example
 
Unsolicited bounce from: XXX.XX.XX.XXX
http://www.spamcop.net/w3m?i=z1461054774z78adc3d2de68b857fcfc3dfc3df88ff8z
XXX.XX.XX.XXX appears to be sending unsolicited bounces, please see:
http://www.spamcop.net/fom-serve/cache/329.html
 
[ Offending message ]
Return-Path: <SRS0=h3MDDYIp=VJ=wildandlye.com=spamtrap@hubnut.net>
Delivered-To: spamcop-net-x
Received: (qmail 24092 invoked from network); 5 Jul 2005 08:35:11 -0000
Received: from unknown (192.168.1.103)
  by blade4.cesmail.net with QMQP; 5 Jul 2005 08:35:11 -0000
Received: from srv5.hubnut.net (64.246.62.94)
  by mailgate2.cesmail.net with SMTP; 5 Jul 2005 08:35:11 -0000
Received: from wildandlye.com (localhost.localdomain [127.0.0.1])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658Z7pK020274
for <x>; Tue, 5 Jul 2005 08:35:07 GMT
Received: (from spamtrap@localhost)
by wildandlye.com (8.12.11/8.12.11/Submit) id j658Z7Bs020262
for x; Tue, 5 Jul 2005 08:35:07 GMT
Received: from srv5.hubnut.net (root@localhost)
by wildandlye.com (8.12.11/8.12.11) with ESMTP id j658Z1Aq020231
for <x>; Tue, 5 Jul 2005 08:35:01 GMT
X-ClientAddr: 67.78.88.202
Received: from win2kserver.crpoe.com (rrcs-67-78-88-202.sw.biz.rr.com [67.78.88.202])
by srv5.hubnut.net (8.12.11/8.12.11) with ESMTP id j658YtrW020160
for <x>; Tue, 5 Jul 2005 08:34:59 GMT
From: postmaster@crpoe.com
To: x
Date: Tue, 5 Jul 2005 03:34:51 -0500
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="9B095B5ADSN=_01C57F14A9DD64AF0000370Cwin2kserver.crpo"
X-DSNContext: 335a7efd - 4457 - 00000001 - 80040546
Message-ID: <ssaX_________190b@win2kserver.crpoe.com>
Subject: [MISDIRECTED BOUNCE] Delivery Status Notification (Failure)
Received-SPF: pass (srv5.hubnut.net: 127.0.0.1 is authenticated by a trusted mechanism)
Received-SPF: unknown (srv5.hubnut.net: error in processing during lookup of postmaster@win2kserver.crpoe.com)
X-HubNut-MailScanner: Found to be clean, Found to be clean
X-Spam-Prev-Subject: Delivery Status Notification (Failure)
X-HubNut-MailScanner-Information: Please contact the ISP for more information
X-MailScanner-From: spamtrap@wildandlye.com
X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4
X-Spam-Level: *************************
________________
 
 
FYI,
 
Based on multiple reports from myNetWatchman users, we believe that the
following host is compromised or infected:
 
Source IP: XXX.XX.XX.XXX
Time Zone: UTC
 
Event Date Time, Destination IP, IP Protocol, Target Port, Issue Description, Source Port, Event Count
EventRecord: 3 Jul 2005 07:55:20, 207.81.x.x, 6, 139, NETBIOS Session Service                           , 1071, 1
EventRecord: 3 Jul 2005 07:48:16, 207.81.x.x, 6, 139, NETBIOS Session Service                           , 1247, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3847, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3848, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3845, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3846, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3844, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3831, 1
EventRecord: 1 Jul 2005 07:37:24, 207.54.x.x, 6, 139, NETBIOS Session Service                           , 3826, 1
____________________________________________


I've turned off NDR's on my Exchange 2k box but do not see how to do it for the 2K3 box running the built-in exchange that come with the enterprise edition.

Also, is there more that I can do to resolve this?

Here is a sample of my SMTP log.  Looks fishy to me.

00:00:08 218.64.100.236 HELO - 250
00:00:35 218.64.100.236 MAIL - 250
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 EHLO - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 MAIL - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 RCPT - 0
00:00:50 65.161.23.59 - - 0
00:00:50 65.161.23.59 DATA - 0
00:00:52 65.161.23.59 - - 0
00:00:57 65.161.23.59 - - 0
00:00:57 65.161.23.59 QUIT - 0
00:00:57 65.161.23.59 - - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 EHLO - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 MAIL - 0
00:02:09 213.13.115.47 - - 0
00:02:09 213.13.115.47 RCPT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 RSET - 0
00:02:11 213.13.115.47 - - 0
00:02:11 213.13.115.47 QUIT - 0
00:02:11 213.13.115.47 - - 0
00:02:11 218.64.100.236 HELO - 250
00:02:12 218.64.100.236 MAIL - 250
00:02:13 218.64.100.236 RCPT - 250
00:02:18 218.64.100.236 RCPT - 250
00:02:19 218.64.100.236 RCPT - 250
00:02:20 218.64.100.236 RCPT - 250
00:02:22 218.64.100.236 RCPT - 250
00:02:23 218.64.100.236 RCPT - 250
00:02:26 218.64.100.236 DATA - 250
00:02:26 218.64.100.236 QUIT - 240
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 EHLO - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 MAIL - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RCPT - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 RSET - 0
00:02:31 216.200.145.51 - - 0
00:02:31 216.200.145.51 QUIT - 0
00:02:31 216.200.145.51 - - 0
crp0499CEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David WilhoitSenior Consultant, ExchangeCommented:
if you think it's an internal machine doing damage, then you need to make sure that no other desktop, especially the one you think is infected, can make an SMTP connection to your Exchange server. At the cmd prompt, run netstat -a and see who's connecting to SMTP (port 25). If it's a workstation that should be using an Outlook MAPI profile, then there should be no port 25 connection...most of the time. A virus would cause many connectionos to be made from 1 IP address.
crp0499CEOAuthor Commented:
Thing is, there are no other PCs in this server room or in this buliding. In other words, there are no internal machines.  It's just two servers alone in a room, connected to the world via a router and RR cable.  There aren't more than 10 mailboxes between the two servers.
SembeeCommented:
If the outside world can see port 135 then you have a problem. How is the router configured? Do you have port 135 open to allow Outlook access over the Internet?

Simon.
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

crp0499CEOAuthor Commented:
no.  port 135 is not open on the router
crp0499CEOAuthor Commented:
I DID however see that my server was set as the DMZ in the router.  Could that have been it?
David WilhoitSenior Consultant, ExchangeCommented:
most definitely could. I have a Netgear FW/router, and implementing the DMZ feature opened all kinds of ugliness. I disabled it. I have an external WAN address, everything else is internal with no DMZ. DMZ suggests that everything could be open from the internet to that NIC on the server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David WilhoitSenior Consultant, ExchangeCommented:
I assume that was the issue?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.