Need help with Exchange - possible open relay

Posted on 2007-11-23
Medium Priority
Last Modified: 2010-03-06
I think my Exchange (SBS) server may be being used as an open relay or has been hacked (password guess). I have several messages in the outbound queue(s) to places that are "obviously" not something work related and very SPAM looking to say the least. This has happened before on another Exchange Server and I "fixed it" by changing the administrator password, deleting the messages from the queues and rebooting the server.

This time it's on another server (colleague of mine). Their server was pretty "default", so I created a new admin account and disabled the default "administrator", put a strong password on the new account, checked all the MS articles about verifying that the server is "locked down" so as not to be an open relay - the are locked down  - the server is NOT an open relay, but the messages are still flowing out. Not very many - probably less than 100 per day. The sender is "postmaster@theirdomain.com".

Is there any way to tell if a client computer in the office is sending these or if a user account has authenticated to Exchange to send these messages and which one it is. That is the only other thing I can think of. The guest account it disabled too FYI. I read the article on relaying and saw about setting up monitoring to check but no events matching that in the app log (1708 I believe).

Any suggestions would be appreciated - I told the guy to have all his users change their passwords. I am out of ideas at this point.


Question by:djerryanderson
  • 3
  • 2
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 20339789
First thing I would suggest is undoing what you did with the administrator account. That is not something I recommend and will not slow down an attacker for more than about 20 seconds.

If the messages are postmaster@ then that is NDRs. Either OOTO messages to non existent domains or NDR spam. Easily stopped using recipient filtering and the tarpit.


Author Comment

ID: 20339910
OK, I feel like an idiot here. I setup recipient filtering in the Global Settings / "message delivery" but forgot to apply it at the virtual server level DUH!!!! I didn't mention that in my other post - that was another thing I had done before on my other Exchange server and had tried that here as well - just didn't finish the steps. I had a bunch of old notes from when that other server got hacked. I'll give it a shot and see if it clears up after the weekend.

Also, what is OOTO, and why do you not want the admin account disabled? I always heard that was "standard practice". Sorry for sounding like an idiot here. I am by no means an "expert" (no pun intended) especially with Exchange (again, no pun intended).

Author Comment

ID: 20340498
I jusr RDP'd over to that server an it looks to be fixed. Thanks.
LVL 104

Expert Comment

ID: 20340557
I do not want the added complication of doing a disaster recovery on a server with a disabled admin account. The admin account is a very useful tool to have. I also don't tend to rename it, as it can be easily found again.
The only servers I rename it on are FTP servers, when I will create a standard account with the same name to give the script kiddies something to attack.


Author Comment

ID: 20340853
Cool...thanks for the help.

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Here is a method which can be used to help resolve a "Content Index Failed" error on a Microsoft Exchange Server.
In an Exchange Crossforest migration, the distribution groups can be a very complex operation that would cause loss of time, lots of issues and continued headaches if not solved in a timely manner. I had to do a similar project so I created a sc…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Planning to migrate your EDB file(s) to a new or an existing Outlook PST file? This video will guide you how to convert EDB file(s) to PST. Besides this, it also describes, how one can easily search any item(s) from multiple folders or mailboxes…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question