Need help with Exchange - possible open relay

Posted on 2007-11-23
Medium Priority
Last Modified: 2010-03-06
I think my Exchange (SBS) server may be being used as an open relay or has been hacked (password guess). I have several messages in the outbound queue(s) to places that are "obviously" not something work related and very SPAM looking to say the least. This has happened before on another Exchange Server and I "fixed it" by changing the administrator password, deleting the messages from the queues and rebooting the server.

This time it's on another server (colleague of mine). Their server was pretty "default", so I created a new admin account and disabled the default "administrator", put a strong password on the new account, checked all the MS articles about verifying that the server is "locked down" so as not to be an open relay - the are locked down  - the server is NOT an open relay, but the messages are still flowing out. Not very many - probably less than 100 per day. The sender is "postmaster@theirdomain.com".

Is there any way to tell if a client computer in the office is sending these or if a user account has authenticated to Exchange to send these messages and which one it is. That is the only other thing I can think of. The guest account it disabled too FYI. I read the article on relaying and saw about setting up monitoring to check but no events matching that in the app log (1708 I believe).

Any suggestions would be appreciated - I told the guy to have all his users change their passwords. I am out of ideas at this point.


Question by:djerryanderson
  • 3
  • 2
LVL 104

Accepted Solution

Sembee earned 2000 total points
ID: 20339789
First thing I would suggest is undoing what you did with the administrator account. That is not something I recommend and will not slow down an attacker for more than about 20 seconds.

If the messages are postmaster@ then that is NDRs. Either OOTO messages to non existent domains or NDR spam. Easily stopped using recipient filtering and the tarpit.


Author Comment

ID: 20339910
OK, I feel like an idiot here. I setup recipient filtering in the Global Settings / "message delivery" but forgot to apply it at the virtual server level DUH!!!! I didn't mention that in my other post - that was another thing I had done before on my other Exchange server and had tried that here as well - just didn't finish the steps. I had a bunch of old notes from when that other server got hacked. I'll give it a shot and see if it clears up after the weekend.

Also, what is OOTO, and why do you not want the admin account disabled? I always heard that was "standard practice". Sorry for sounding like an idiot here. I am by no means an "expert" (no pun intended) especially with Exchange (again, no pun intended).

Author Comment

ID: 20340498
I jusr RDP'd over to that server an it looks to be fixed. Thanks.
LVL 104

Expert Comment

ID: 20340557
I do not want the added complication of doing a disaster recovery on a server with a disabled admin account. The admin account is a very useful tool to have. I also don't tend to rename it, as it can be easily found again.
The only servers I rename it on are FTP servers, when I will create a standard account with the same name to give the script kiddies something to attack.


Author Comment

ID: 20340853
Cool...thanks for the help.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses
Course of the Month17 days, 10 hours left to enroll

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question