Need help with Exchange - possible open relay

Posted on 2007-11-23
Last Modified: 2010-03-06
I think my Exchange (SBS) server may be being used as an open relay or has been hacked (password guess). I have several messages in the outbound queue(s) to places that are "obviously" not something work related and very SPAM looking to say the least. This has happened before on another Exchange Server and I "fixed it" by changing the administrator password, deleting the messages from the queues and rebooting the server.

This time it's on another server (colleague of mine). Their server was pretty "default", so I created a new admin account and disabled the default "administrator", put a strong password on the new account, checked all the MS articles about verifying that the server is "locked down" so as not to be an open relay - the are locked down  - the server is NOT an open relay, but the messages are still flowing out. Not very many - probably less than 100 per day. The sender is "".

Is there any way to tell if a client computer in the office is sending these or if a user account has authenticated to Exchange to send these messages and which one it is. That is the only other thing I can think of. The guest account it disabled too FYI. I read the article on relaying and saw about setting up monitoring to check but no events matching that in the app log (1708 I believe).

Any suggestions would be appreciated - I told the guy to have all his users change their passwords. I am out of ideas at this point.


Question by:djerryanderson
  • 3
  • 2
LVL 104

Accepted Solution

Sembee earned 500 total points
ID: 20339789
First thing I would suggest is undoing what you did with the administrator account. That is not something I recommend and will not slow down an attacker for more than about 20 seconds.

If the messages are postmaster@ then that is NDRs. Either OOTO messages to non existent domains or NDR spam. Easily stopped using recipient filtering and the tarpit.


Author Comment

ID: 20339910
OK, I feel like an idiot here. I setup recipient filtering in the Global Settings / "message delivery" but forgot to apply it at the virtual server level DUH!!!! I didn't mention that in my other post - that was another thing I had done before on my other Exchange server and had tried that here as well - just didn't finish the steps. I had a bunch of old notes from when that other server got hacked. I'll give it a shot and see if it clears up after the weekend.

Also, what is OOTO, and why do you not want the admin account disabled? I always heard that was "standard practice". Sorry for sounding like an idiot here. I am by no means an "expert" (no pun intended) especially with Exchange (again, no pun intended).

Author Comment

ID: 20340498
I jusr RDP'd over to that server an it looks to be fixed. Thanks.
LVL 104

Expert Comment

ID: 20340557
I do not want the added complication of doing a disaster recovery on a server with a disabled admin account. The admin account is a very useful tool to have. I also don't tend to rename it, as it can be easily found again.
The only servers I rename it on are FTP servers, when I will create a standard account with the same name to give the script kiddies something to attack.


Author Comment

ID: 20340853
Cool...thanks for the help.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.

823 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question