Solved

smtp / exchange exploited

Posted on 2009-05-11
3
377 Views
Last Modified: 2012-05-06
I have a small business server running exchange 2003 sp2.  I know the server is exploited as I can see outbout port 25 traffic moving from the server through the firewall. It has been directing this traffic to an ISP in Las Vegas *.somecaptain.com.  There are NO entries in the exchage queues bound for such a domain.  The queues are backing up terribly because of this traffic and I need the email to flow.

If someone could just point me to some tools to dig into the smtp service a bit, I think I can probably find the problem, but I'm just not sure where to start.

I'm bleary-eyed and should probably provide some more detail, but i need a break and will check back here in a bit
0
Comment
Question by:sjonesin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Expert Comment

by:MattShadbolt
ID: 24360130
You're server is probably just relaying mail that it shouldn't be.

First of all, suspend the exchange queue's otherwise your IP will be blacklisted. Secondly, run a relay test (i like http://www.mxtoolbox.com/diagnostic.aspx). If that confirms the server is acting as an open relay then you can resolve the issue easily.

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24363472
If Exchange had been compromised directly then you would see the messages in the queues. If you do not then it is something directly on the server outside of Exchange. That means you need to treat it in the same way that you would clean up a workstation that had been compromised. It also means that someone has been surfing from the server and has visited somewhere they shouldn't have, as almost all compromising of systems are now coming in via browsers.

Simon.
0
 

Accepted Solution

by:
sjonesin earned 0 total points
ID: 24364424
Thanks to both of you gentlemen.  I know relaying is denied.  

And yes, I understand the cleanup concept...Have AVG corporate installed and functioning, yet it didn't even give a hint of a problem, unfortunately.  I will continue my work today and keep you posted.  

Thanks,
steve

0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video discusses moving either the default database or any database to a new volume.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question