Win2k3 exchange server sending SPAM via POSTMASTER account
Hello,
I have a windows 2003 exchange server running. I was informaed that email was being rejected form our domain and checked our domain name on DNSSTUFF.com. My domain was blacklisted on three different servers and I thought it was from a virus our old exchnage server was compromised with early 2005. I requested my IP be removed from all blacklists, and just as a precaution created an outbound ACL on my PIX515e to disallow all SMTP traffic except the exchange server I have in place. All mail flow stopped completely once the ACL was put in place. I checked my mail queue and discovered at least 5 folders containing mail from my 'postmaster' account waiting to be sent to domains that have nothing to do with our business. I deleted all waiting mail but then refreshed the queue and one more message appeared in the same folder again. I ran into a similar problem recently where one of your experts assisted me with a server which had been a victim of an NDR attack. This does not seem to be the same scenario although similar. My question is this, how may I go about finding the script/bot/or whatever program is generating these emails to be sent out to the world? Furthermore, can anyone assist me in my PIX config so that I may have an outbound ACL to allow only SMTP traffic from this server alone?
I have a windows 2003 exchange server running. I was informaed that email was being rejected form our domain and checked our domain name on DNSSTUFF.com. My domain was blacklisted on three different servers and I thought it was from a virus our old exchnage server was compromised with early 2005. I requested my IP be removed from all blacklists, and just as a precaution created an outbound ACL on my PIX515e to disallow all SMTP traffic except the exchange server I have in place. All mail flow stopped completely once the ACL was put in place. I checked my mail queue and discovered at least 5 folders containing mail from my 'postmaster' account waiting to be sent to domains that have nothing to do with our business. I deleted all waiting mail but then refreshed the queue and one more message appeared in the same folder again. I ran into a similar problem recently where one of your experts assisted me with a server which had been a victim of an NDR attack. This does not seem to be the same scenario although similar. My question is this, how may I go about finding the script/bot/or whatever program is generating these emails to be sent out to the world? Furthermore, can anyone assist me in my PIX config so that I may have an outbound ACL to allow only SMTP traffic from this server alone?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please follow this KB Article ->
Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;886208
Thanks,
Amit Aggarwal.
Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;886208
Thanks,
Amit Aggarwal.
also in your DNS, you need to have REVERSE ZONE configured