Exchange Compromised? Possible Botnet

I'm having an issue with an Exchange 2003 server where the Queue is slowly filling up with emails it can't send (remote servers come back non-responding).  The emails are all over the board and I can't find a common thing.  For a while the big email target was fbi.gov, not it seems to be Western Union.  I have scanned for viruses and malware on all the PCs of the clients computers, but come up with nothing.  They have a WatchGuard X55e firewall, so logging is sparse.  I assume I have some sort-of botnet on the network somewhere, but I am having trouble tracking it down.  Exchange is running on an SBS2003 server.
protechcolAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Syed Mutahir AliTechnology ConsultantCommented:
http://alanhardisty.wordpress.com/2010/02/11/why-are-my-outbound-queues-filling-up-with-mail-that-we-didnt-send/

Have a read through of the article

Also, make sure that on your firewall only exchange server is allowed to use Port 25 and no client pcs (not directly related to this problem but helps)
0
Syed Mutahir AliTechnology ConsultantCommented:
do you normally send emails to western union or fbi.gov ? if not than "Alan's" article should help you get this sorted


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pine_nel1Commented:
Hi protechcol,

What do the current sessions under your protocols -> SMTP look like (any pattern there) ?

Thanks

Pine
0
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

protechcolAuthor Commented:
Mutahir, no the client doesn't send to FBI or Western Union.  They are a small local construction company.  I will read Alan's article and see if it answers my problem.

pine_nel1, at this very moment the current sessions are empty (not sure anyone is in office yet either).  But before I saw something along the lines of each Exchange user had 10 connections and then there was a bunch of random SMTP_<jumble of letters and numbers> connections.
0
Syed Mutahir AliTechnology ConsultantCommented:
check on www.mxtoolbox.com
to see if your server is an open relay

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm

follow the article too and verify if your system isn't relaying .
0
protechcolAuthor Commented:
I know it's not an open-relay.  That was actually the first thing I thought when this all started.  I had read an article similar to Alan's article, and already changed settings for an NDR Attack which cut down on the emails considerably but not completely.  I used Alan's information on Authenticated Relay to find out I had 2 AD accounts compromised.  So I disabled one (no longer used) and changed the password on the other.  I will continue to monitor this but I do believe we are good to go now.  Thanks.
0
Syed Mutahir AliTechnology ConsultantCommented:
Thats great, Alan's article has helped alot of people around here and in general.

Glad that it has helped.
0
protechcolAuthor Commented:
The suggested article was exactly what I needed, because unfortunately I was victim to both types of attack, not one or the other as most articles reflect.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.