stonesmith
asked on
Exchange Server hijacked?
I recently installed MS Exchange at our company. The server automatically sends me a bi-weekly usage report. I've noticed that the Administrator account has sent over 3,000 emails in a two week period. We get a lot of bogus greeting card emails and emails from various sources with no body and a bogus .pdf attached. Some of the spam email will have one of our user names, but a strange hotmail address in parentheses. Has my server been hijacked?
Alvin Abraham
No all that stuff is spam. The address is spoofed. It's really not coming from you. Unless you've got a virus.
Hi having never came across this issue myself all I can do is point you in the direction of possible cause/fix.
https://www.experts-exchange.com/questions/21317616/Hijacked-exchange.html?sfQueryTermInfo=1+exchang+hijack
https://www.experts-exchange.com/questions/21317637/Hijacked-Exchange-Account.html?sfQueryTermInfo=1+exchang+hijack
https://www.experts-exchange.com/questions/21317616/Hijacked-exchange.html?sfQueryTermInfo=1+exchang+hijack
https://www.experts-exchange.com/questions/21317637/Hijacked-Exchange-Account.html?sfQueryTermInfo=1+exchang+hijack
administrator@ is a common account that gets sent email.
If you used administrator account to install Exchange then it will also have the postmaster@ email address.
DO NOT remove the postmaster@ email address from the account, as it can cause problems.
The PDF spam is very common, most sites are fighting those at the moment.
Everything else is probably spoofing.
Are you sure that the administrator account has SENT the messages? That could be an indication of a problem. I would suggest changing the administrator password and rebooting the server. Then you need to look at your relaying settings to see that the administrator account is restricted from being able to relay when authenticated.
Simon.
If you used administrator account to install Exchange then it will also have the postmaster@ email address.
DO NOT remove the postmaster@ email address from the account, as it can cause problems.
The PDF spam is very common, most sites are fighting those at the moment.
Everything else is probably spoofing.
Are you sure that the administrator account has SENT the messages? That could be an indication of a problem. I would suggest changing the administrator password and rebooting the server. Then you need to look at your relaying settings to see that the administrator account is restricted from being able to relay when authenticated.
Simon.
ASKER
Following is an excerpt of the report i am receiving. You can see that the number of emails sent from Administrator seems extreme.
Extended Server Usage Report for XYZ Co.
From 7/16/2007 to 7/29/2007 (14 days)
__________________________
E-mail Sent
Total Internal
User Name E-mail Sent Recipients Size (MB) External Recipients
Administrator 3,112 90 39.9 3,022
User 1 116 161 47.7 76
User 2 87 70 6.4 85
User 3 77 112 4.5 30
User 4 67 164 3.1 38
User 5 66 66 5.4 48
Extended Server Usage Report for XYZ Co.
From 7/16/2007 to 7/29/2007 (14 days)
__________________________
E-mail Sent
Total Internal
User Name E-mail Sent Recipients Size (MB) External Recipients
Administrator 3,112 90 39.9 3,022
User 1 116 161 47.7 76
User 2 87 70 6.4 85
User 3 77 112 4.5 30
User 4 67 164 3.1 38
User 5 66 66 5.4 48
ASKER
In the above comment, I lost my formatting during copy and paste, but you can figure out that the Administrator account has sent 3,112 messages in two weeks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.