Suspicious Outbound SMTP traffic

Since yesterday one our our servers (w2k server, exch 2000 sp3) starting transmitting a large amount of data to an ip in Korea. Stopping the smtp service on the server stops the traffic. The messages are coming from one of our users that works at that location and has a mailbox on that server.  the users workstation is powered off yet the traffic continues. The server is fully patched and antivirus is up to date. Antivirus software (trend micro) shows no virus activity, but the security vendor seems to think that there is some malicious code running on the server and reccomends a rebuild and exchange store restore from mondays backup. I am not troubleshooting the problem directly.

Does anyone know what might be happening?
Who is Participating?
master_winduConnect With a Mentor Author Commented:
ok - we got to the bottom of it.  the user on our end sent an email with an attachment appx 35 mbs in size (mp3)  It got rejected on the recipient side (korean hotmail) and exchange was trying to immediatly resubmit.  It was not visible on our exchange smtp queue, Appearently exchange trys to resend for 48 hrs after which time it gives up.  The exchange timeout setting had to be lowered temporarily to 2 minutes so that the message could drop off.

thanks to those that commented
so have you stopped the smtp server, waited and then cleared out the ques? it does take some time to perform this and exchange does not report amounts very well.

the server isnt not an open relay?

If the messages are coming from a certain workstation that is shut off then they're not. Are you SURE the ws is off? What are the headers in the messages from that ws saying? Do you have a local server in Korea where this person works? Might it be infected? I would think that the messages are not from that ws but made up to look like it. Again, cheack the header
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

master_winduAuthor Commented:
network data support -- no, not an open relay

peakpeak- we do not have a server in korea, we have 67 sites, all in southern california - single domain - mpls network.  Yes ..sure workstation is powered off.
master_winduAuthor Commented:
i might add that the employee whose email address is referenced in the outbound messages is korean.  The destination ip seems to belong to koreas version of hotmail.
block that hormail id and see if traffic stil cotniues.
master_winduAuthor Commented:
the destination ip is already blocked on our firewall - the server stills trys to transmit messages to it though
it will of there is still messages in the system like i say it takes sometime to clear the ques exchange does not report the amount of emails very well
bbaoIT ConsultantCommented:
it is obvious that you need to define a size limit for all outgoing messages on your exchange server to prevent this happening again.

four types of Message Size Limits may be considered:

Message header size limits
Message size limits
Attachment size limits, esp. for this case.
Recipient limits

hope it helps,
Closed, 500 points refunded.
Community Support Moderator
All Courses

From novice to tech pro — start learning today.