Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

smtp / exchange exploited

Posted on 2009-05-11
3
Medium Priority
?
388 Views
Last Modified: 2012-05-06
I have a small business server running exchange 2003 sp2.  I know the server is exploited as I can see outbout port 25 traffic moving from the server through the firewall. It has been directing this traffic to an ISP in Las Vegas *.somecaptain.com.  There are NO entries in the exchage queues bound for such a domain.  The queues are backing up terribly because of this traffic and I need the email to flow.

If someone could just point me to some tools to dig into the smtp service a bit, I think I can probably find the problem, but I'm just not sure where to start.

I'm bleary-eyed and should probably provide some more detail, but i need a break and will check back here in a bit
0
Comment
Question by:sjonesin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 4

Expert Comment

by:MattShadbolt
ID: 24360130
You're server is probably just relaying mail that it shouldn't be.

First of all, suspend the exchange queue's otherwise your IP will be blacklisted. Secondly, run a relay test (i like http://www.mxtoolbox.com/diagnostic.aspx). If that confirms the server is acting as an open relay then you can resolve the issue easily.

0
 
LVL 65

Expert Comment

by:Mestha
ID: 24363472
If Exchange had been compromised directly then you would see the messages in the queues. If you do not then it is something directly on the server outside of Exchange. That means you need to treat it in the same way that you would clean up a workstation that had been compromised. It also means that someone has been surfing from the server and has visited somewhere they shouldn't have, as almost all compromising of systems are now coming in via browsers.

Simon.
0
 

Accepted Solution

by:
sjonesin earned 0 total points
ID: 24364424
Thanks to both of you gentlemen.  I know relaying is denied.  

And yes, I understand the cleanup concept...Have AVG corporate installed and functioning, yet it didn't even give a hint of a problem, unfortunately.  I will continue my work today and keep you posted.  

Thanks,
steve

0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question