Infected Exchange 2003 Server

ok, i think my exchange server is infected and it's sending out SPAM like mad.  I'm on three blacklists now and my queue is packed full of over 3000 outbound connections to everyone on the planet.  When I message track everything in the last four hours, it's full of spam.

I'm running a virus scan on it now.  my last report showed over 1500 items NOT removed.

I know it's going to sound dumb, but can I stop my exchange server from sending outbound mail and still allow my users to send thru it?

Cliff
crp0499CEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike ThomasConsultantCommented:
Delet your outbound smtp connector, internal email will still function.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crp0499CEOAuthor Commented:
Alan, I have followed the instructions in your post.  It appears that it is an authenticated relay attack but some of the messages are coming from postmaster@mydomain.com as well.  Some are from gmail too.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Alan HardistyCo-OwnerCommented:
If they are mixed, concentrate on finding the breached account (details in my article) and change the password of that account, then resolve the postmaster problem and then cleanup.
0
crp0499CEOAuthor Commented:
so far, since I only have 20 users including admin, i have changed ALL passwords.  good start?
0
Alan HardistyCo-OwnerCommented:
Yep - it makes working out which one is compromised a lot easier.

Do now concentrate on the ndr spam, which suggests you are not rejecting invalid recipients, then cleanup and you should be fine.

Just make sure you use dissimilar passwords for everyone and make them hard to guess etc.  Combine Upper Case with Lower Case and add Numbers and special characters such as ! and $ etc.

0
crp0499CEOAuthor Commented:
right, i did lots of @ symbols, zeros for O's and that sort of thing.  before they were all pretty simple.  I even changed the admin password.

my SMTP server HAS recipient filtering turned on to reject invalid recipients.  not sure about the NDR's
0
Alan HardistyCo-OwnerCommented:
Leave the ndr's then if you are rejecting invalid recipients.  Cleanup your queues and wait for calm to return!
0
crp0499CEOAuthor Commented:
ok, I've done everything in BOTH scenarios and after a restart of SMTP, my first message is from attpaymentdept11@gmail to about a million people so far...
0
Alan HardistyCo-OwnerCommented:
Sounds like you either have an account you don't know about or you are infected.

Turn up the logging as per my article and monitor the Event Logs.

Have you alsogot 127.0.0.1 in the Relay lost on your SMTP Virtual Server?  If so, remove it.
0
crp0499CEOAuthor Commented:
His follow-up support was invaluable!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.