• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1011
  • Last Modified:

Windows SBS 2003 Sending SPAM

Hello,

I have a client who's Win2k3 SBS hosting exchange 2003 has been sending SPAM. I have checked all options to disallow all SMTP relay except from this domain. I have about 2500 in my queue and the numbers keep rising, even after disonnected the srvr form the network. Also, the server HDD keeps spinning and will not stop. I have run sysinternals (process explorer) and discovered no processes that are not necessary to the operation of this server. There must be a program somewhere on this machine in order for the drive to be spinning this long (about 4 hrs straight now) creating these messages. Where might I find a utility that can find these type of scripts? I have not seen this kind of behaviour before from a server so I am kind of at a loss. I delete about 2500 messages in the queue via MS Article (http://support.microsoft.com/?id=324958) but more  the queue shows about 35,000 messages waiting to be sent. Thanks in advance for the assistance.

0
danw76
Asked:
danw76
  • 3
  • 3
1 Solution
 
rhandelsCommented:
Hi,

Try to reboot the machine (or just start and stop the Exchange System attendant), your Exchange will be down for a brief moment, but it might help.. If this happens, it can either mean two things, Spyware on your server (which can be ruled out) or some user has got spyware on his machine and the spyware uses his account crdentials to send the spam through your server. Try to check the logs of Exchange and the event log to see if anything strange happen inthere..
0
 
SembeeCommented:
Are you sure about your relay settings?
In these circumstances I would disable all forms of relaying. You don't need any relaying enabled for Exchange to operate. I would also disable authenticated relaying as well.

The procedure for deleting the messages out of the queue is slow and has to be repeated a number of times. I have some more techniques on my web site at http://www.amset.info/exchange/spam-cleanup.asp

I would also suggest pulling the internet connection on this machine.

Get the machine checked, ensure that your relay settings are not set incorrectly. A classic open relay configuration error is to allow relaying from the entire local subnet. That is fine - except your firewall is probably on the same subnet and traffic will be seen to come from the firewall in certain circumstances.

Finally - change your administrator password. It may have been compromised.

Simon.
0
 
danw76Author Commented:
Ok. I ran through the steps to clear out all queue's and deleted the BADMAIL folder. While the BADMAIL folder was being deleted, I followed the instructions from the site (http://www.amset.info/exchange/spam-cleanup.asp). After the section 'deleting the messages' (I followed the 'Alternative Queue Method'), I began to change back the SMTP connector settings to it's original state. My Queue's began to fill up again! I have assured that any relay access is denied but the primary queue keeps filling! The srvr is still deleting the BADMAIL folder and the main queue is back up to about 25,000 emails in about 2.5 minutes! How can I stop this? I saw a huge list of connectors in the queue once I had all messages deleted, but they dissappeared once I restarted the SMTP virtual srvr again. How can I delete these connectors once they show up agian?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
SembeeCommented:
ESM is notorious for not showing the true extent of the messages in the queues. As such it can sometimes take two or three attempts to clear the queues. The only way to be sure that no new email is coming in is to disconnect the server from the internet.

How did you try to delete the Badmail folder? The quickest way is to rename it and then do a SHIFT-DEL. That will get rid of the files in one hit. I have seen people try to do it by pressing delete, but all that does is move them to the recycle bin. I have also done it through a command prompt.

Simon.
0
 
danw76Author Commented:
Correct, I did hit SHIFT-DELETE to delete the Badmail folder, the deletion window opened up and ran for about an hour.
After I cleared the queue the first time I saw a huge list of queue's present, all pointing to external domain names . How may I delete these additional queue's? I will attempt to clear the primary queue once again and see what happens.
0
 
danw76Author Commented:
Simon,

When a server is breached by an NDR attack, why would the gateway log look like this? (When the srvr has been disconnected from the network for over 12 Hrs?)

(5/17/06 10:50:33) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:21) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:24) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:24) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:24) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:24) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:26) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:26) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:26) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:28) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP
(5/17/06 10:51:28) Source:10.1.10.124, Destination:200.6.166.181, Name:SMTP


As I stated previously, the srvr has been disconnected for at least 12 hrs yet these messages keep appearing in the gateway log. I have checked and assured that no other device on the network has obtained the servers IP of.124. Why would transmissions show up from this source when the node is not active? Is this in part caused by the initial NDR attack?
0
 
SembeeCommented:
The IP address is allocated to Bolivia. If it wasn't for Encarta I wouldn't even know where that is!

Considering the amount of traffic that is flowing through, I wouldn't be surprised if the gateway is still recovering. Try resetting it.

Simon.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now