• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 395
  • Last Modified:

smtp / exchange exploited

I have a small business server running exchange 2003 sp2.  I know the server is exploited as I can see outbout port 25 traffic moving from the server through the firewall. It has been directing this traffic to an ISP in Las Vegas *.somecaptain.com.  There are NO entries in the exchage queues bound for such a domain.  The queues are backing up terribly because of this traffic and I need the email to flow.

If someone could just point me to some tools to dig into the smtp service a bit, I think I can probably find the problem, but I'm just not sure where to start.

I'm bleary-eyed and should probably provide some more detail, but i need a break and will check back here in a bit
1 Solution
You're server is probably just relaying mail that it shouldn't be.

First of all, suspend the exchange queue's otherwise your IP will be blacklisted. Secondly, run a relay test (i like http://www.mxtoolbox.com/diagnostic.aspx). If that confirms the server is acting as an open relay then you can resolve the issue easily.

If Exchange had been compromised directly then you would see the messages in the queues. If you do not then it is something directly on the server outside of Exchange. That means you need to treat it in the same way that you would clean up a workstation that had been compromised. It also means that someone has been surfing from the server and has visited somewhere they shouldn't have, as almost all compromising of systems are now coming in via browsers.

sjonesinAuthor Commented:
Thanks to both of you gentlemen.  I know relaying is denied.  

And yes, I understand the cleanup concept...Have AVG corporate installed and functioning, yet it didn't even give a hint of a problem, unfortunately.  I will continue my work today and keep you posted.  


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now