Suspicious Outbound SMTP traffic

Since yesterday one our our servers (w2k server, exch 2000 sp3) starting transmitting a large amount of data to an ip in Korea. Stopping the smtp service on the server stops the traffic. The messages are coming from one of our users that works at that location and has a mailbox on that server.  the users workstation is powered off yet the traffic continues. The server is fully patched and antivirus is up to date. Antivirus software (trend micro) shows no virus activity, but the security vendor seems to think that there is some malicious code running on the server and reccomends a rebuild and exchange store restore from mondays backup. I am not troubleshooting the problem directly.

Does anyone know what might be happening?
master_winduAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Network_Data_SupportCommented:
so have you stopped the smtp server, waited and then cleared out the ques? it does take some time to perform this and exchange does not report amounts very well.

the server isnt not an open relay?

0
peakpeakCommented:
If the messages are coming from a certain workstation that is shut off then they're not. Are you SURE the ws is off? What are the headers in the messages from that ws saying? Do you have a local server in Korea where this person works? Might it be infected? I would think that the messages are not from that ws but made up to look like it. Again, cheack the header
0
master_winduAuthor Commented:
network data support -- no, not an open relay

peakpeak- we do not have a server in korea, we have 67 sites, all in southern california - single domain - mpls network.  Yes ..sure workstation is powered off.
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

master_winduAuthor Commented:
i might add that the employee whose email address is referenced in the outbound messages is korean.  The destination ip seems to belong to koreas version of hotmail.
0
alshahnazCommented:
block that hormail id and see if traffic stil cotniues.
0
master_winduAuthor Commented:
the destination ip is already blocked on our firewall - the server stills trys to transmit messages to it though
0
Network_Data_SupportCommented:
it will of there is still messages in the system like i say it takes sometime to clear the ques exchange does not report the amount of emails very well
0
master_winduAuthor Commented:
ok - we got to the bottom of it.  the user on our end sent an email with an attachment appx 35 mbs in size (mp3)  It got rejected on the recipient side (korean hotmail) and exchange was trying to immediatly resubmit.  It was not visible on our exchange smtp queue, Appearently exchange trys to resend for 48 hrs after which time it gives up.  The exchange timeout setting had to be lowered temporarily to 2 minutes so that the message could drop off.

thanks to those that commented
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantCommented:
it is obvious that you need to define a size limit for all outgoing messages on your exchange server to prevent this happening again.

four types of Message Size Limits may be considered:

Message header size limits
Message size limits
Attachment size limits, esp. for this case.
Recipient limits

hope it helps,
bbao
0
Vee_ModCommented:
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.