sudden SPAM and bounce email attack?
Posted on 2007-07-28
Getting a ton of SPAM and bounces, around 10 a minute for User A. This influx started at 9:01pm last evening.
I am using SBS 2003 R2 with SP2 running exchange but no SQL or ISA.
in the security event logs, it shows User B "account logon" event 680 at 9:00:56pm last night, and "logon/logoff" event 540 at the same time (9:00:56). it then shows, at one second later (9:00:57), "logon/logoff" event 538, "account logon" event 680, and ""logon/logoff" event 540 all by User B from her workstation at home (which is where she uses outlook over RPC over HTTP).
When I looked at the Mailboxes list under Mailbox Store in Exchange, it showed that this account (User A's account) was "last logged on by" another user (User B) at 4:02am this morning. It also shows that User B logged onto her own User B's account at the same time. there is no possiblity that that user logged on at that time. She does use RPC over HTTP for email, but does not VPN into the server.
looking at the event logs for application, i see an "RPC Proxy" source, "startup" category, event ID 3, at 4:02:28am this morning. all it says is "RPC Proxy successfully loaded in Internet Information Services (IIS) mode 6.0". googling this found nothing.
What all is going on here?