Win2k3 exchange server sending SPAM via POSTMASTER account
Posted on 2006-05-25
I have a windows 2003 exchange server running. I was informaed that email was being rejected form our domain and checked our domain name on DNSSTUFF.com. My domain was blacklisted on three different servers and I thought it was from a virus our old exchnage server was compromised with early 2005. I requested my IP be removed from all blacklists, and just as a precaution created an outbound ACL on my PIX515e to disallow all SMTP traffic except the exchange server I have in place. All mail flow stopped completely once the ACL was put in place. I checked my mail queue and discovered at least 5 folders containing mail from my 'postmaster' account waiting to be sent to domains that have nothing to do with our business. I deleted all waiting mail but then refreshed the queue and one more message appeared in the same folder again. I ran into a similar problem recently where one of your experts assisted me with a server which had been a victim of an NDR attack. This does not seem to be the same scenario although similar. My question is this, how may I go about finding the script/bot/or whatever program is generating these emails to be sent out to the world? Furthermore, can anyone assist me in my PIX config so that I may have an outbound ACL to allow only SMTP traffic from this server alone?