troubleshooting Question

sudden SPAM and bounce email attack?

Avatar of fl4ian
fl4ian asked on
Email SoftwareExchangeSBS
6 Comments2 Solutions496 ViewsLast Modified:
Getting a ton of SPAM and bounces, around 10 a minute for User A.  This influx started at 9:01pm last evening.

I am using SBS 2003 R2 with SP2 running exchange but no SQL or ISA.

in the security event logs, it shows User B "account logon" event 680 at 9:00:56pm last night, and "logon/logoff" event 540 at the same time (9:00:56).  it then shows, at one second later (9:00:57), "logon/logoff" event 538, "account logon" event 680, and ""logon/logoff" event 540 all by User B from her workstation at home (which is where she uses outlook over RPC over HTTP).

When I looked at the Mailboxes list under Mailbox Store in Exchange, it showed that this account (User A's account) was "last logged on by" another user (User B) at 4:02am this morning.  It also shows that User B logged onto her own User B's account at the same time.  there is no possiblity that that user logged on at that time.  She does use RPC over HTTP for email, but does not VPN into the server.

looking at the event logs for application, i see an "RPC Proxy" source, "startup" category, event ID 3, at 4:02:28am this morning.  all it says is "RPC Proxy successfully loaded in Internet Information Services (IIS) mode 6.0".  googling this found nothing.

What all is going on here?
Join our community to see this answer!
Unlock 2 Answers and 6 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 6 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros