• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 220
  • Last Modified:

Need help with Exchange - possible open relay

I think my Exchange (SBS) server may be being used as an open relay or has been hacked (password guess). I have several messages in the outbound queue(s) to places that are "obviously" not something work related and very SPAM looking to say the least. This has happened before on another Exchange Server and I "fixed it" by changing the administrator password, deleting the messages from the queues and rebooting the server.

This time it's on another server (colleague of mine). Their server was pretty "default", so I created a new admin account and disabled the default "administrator", put a strong password on the new account, checked all the MS articles about verifying that the server is "locked down" so as not to be an open relay - the are locked down  - the server is NOT an open relay, but the messages are still flowing out. Not very many - probably less than 100 per day. The sender is "postmaster@theirdomain.com".

Is there any way to tell if a client computer in the office is sending these or if a user account has authenticated to Exchange to send these messages and which one it is. That is the only other thing I can think of. The guest account it disabled too FYI. I read the article on relaying and saw about setting up monitoring to check but no events matching that in the app log (1708 I believe).

Any suggestions would be appreciated - I told the guy to have all his users change their passwords. I am out of ideas at this point.

Thanks,

Jerry
0
djerryanderson
Asked:
djerryanderson
  • 3
  • 2
1 Solution
 
SembeeCommented:
First thing I would suggest is undoing what you did with the administrator account. That is not something I recommend and will not slow down an attacker for more than about 20 seconds.

If the messages are postmaster@ then that is NDRs. Either OOTO messages to non existent domains or NDR spam. Easily stopped using recipient filtering and the tarpit.
http://www.amset.info/exchange/filter-unknown.asp

Simon.
0
 
djerryandersonAuthor Commented:
OK, I feel like an idiot here. I setup recipient filtering in the Global Settings / "message delivery" but forgot to apply it at the virtual server level DUH!!!! I didn't mention that in my other post - that was another thing I had done before on my other Exchange server and had tried that here as well - just didn't finish the steps. I had a bunch of old notes from when that other server got hacked. I'll give it a shot and see if it clears up after the weekend.

Also, what is OOTO, and why do you not want the admin account disabled? I always heard that was "standard practice". Sorry for sounding like an idiot here. I am by no means an "expert" (no pun intended) especially with Exchange (again, no pun intended).
0
 
djerryandersonAuthor Commented:
I jusr RDP'd over to that server an it looks to be fixed. Thanks.
0
 
SembeeCommented:
I do not want the added complication of doing a disaster recovery on a server with a disabled admin account. The admin account is a very useful tool to have. I also don't tend to rename it, as it can be easily found again.
The only servers I rename it on are FTP servers, when I will create a standard account with the same name to give the script kiddies something to attack.

Simon.
0
 
djerryandersonAuthor Commented:
Cool...thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now