Solved

smtp / exchange exploited

Posted on 2009-05-11
3
382 Views
Last Modified: 2012-05-06
I have a small business server running exchange 2003 sp2.  I know the server is exploited as I can see outbout port 25 traffic moving from the server through the firewall. It has been directing this traffic to an ISP in Las Vegas *.somecaptain.com.  There are NO entries in the exchage queues bound for such a domain.  The queues are backing up terribly because of this traffic and I need the email to flow.

If someone could just point me to some tools to dig into the smtp service a bit, I think I can probably find the problem, but I'm just not sure where to start.

I'm bleary-eyed and should probably provide some more detail, but i need a break and will check back here in a bit
0
Comment
Question by:sjonesin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Expert Comment

by:MattShadbolt
ID: 24360130
You're server is probably just relaying mail that it shouldn't be.

First of all, suspend the exchange queue's otherwise your IP will be blacklisted. Secondly, run a relay test (i like http://www.mxtoolbox.com/diagnostic.aspx). If that confirms the server is acting as an open relay then you can resolve the issue easily.

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24363472
If Exchange had been compromised directly then you would see the messages in the queues. If you do not then it is something directly on the server outside of Exchange. That means you need to treat it in the same way that you would clean up a workstation that had been compromised. It also means that someone has been surfing from the server and has visited somewhere they shouldn't have, as almost all compromising of systems are now coming in via browsers.

Simon.
0
 

Accepted Solution

by:
sjonesin earned 0 total points
ID: 24364424
Thanks to both of you gentlemen.  I know relaying is denied.  

And yes, I understand the cleanup concept...Have AVG corporate installed and functioning, yet it didn't even give a hint of a problem, unfortunately.  I will continue my work today and keep you posted.  

Thanks,
steve

0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses
Course of the Month3 days, 23 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question