FDC2005
asked on
Exchange 'system administrator' undeliverable messages - can they be generated by spam bounce-backs (reply-to-hijacking)?
Background: We have our own Exchange 2003 server running inhouse. It is behind our firewall - mail does not arrive to it directly, we use POPCon to pull email from POP accounts and pass them on to Exchange, then we use Outlook to connect to exchange. For outgoing email, we have our smarthost set to relay.dnsexit.com. So I don't *think* that we have an open relay (I tested it from http://www.abuse.net/relay.html and it reports "Could not connect, test failed.", which I think is correct, because the server should be completely behind our firewall).
Today we received dozens (hundreds?) of spam bounce-backs from a variety of .ru domains. Normally I wouldn't be concerned about this - someone must be using one of our email addresses as the reply-to on a bunch of spam.
But... what I am concerned about is that some of the bounce-backs look like messages from the Exchange system administrator, e.g. it looks an awful lot like the spam is coming from inside our Exchange box (see attached image).
I have looked at the smtp logs in \system32\logfiles\smtpsvc 1\ex*.log, and I don't see any outbound messages to .ru, but I suppose if someone had hijacked this server they could delete from these logs as well...
What I want to verify is this -- can a bounce-back message from the outside world, generate one of these Exchange-like "system administrator" messages in the attached image? Or can these "system administrator" messages only be generated when the original mail was sent outbound from Exchange?
thanks for any help!
-Frank.
ExchangeSystemAdmin.jpg
Today we received dozens (hundreds?) of spam bounce-backs from a variety of .ru domains. Normally I wouldn't be concerned about this - someone must be using one of our email addresses as the reply-to on a bunch of spam.
But... what I am concerned about is that some of the bounce-backs look like messages from the Exchange system administrator, e.g. it looks an awful lot like the spam is coming from inside our Exchange box (see attached image).
I have looked at the smtp logs in \system32\logfiles\smtpsvc
What I want to verify is this -- can a bounce-back message from the outside world, generate one of these Exchange-like "system administrator" messages in the attached image? Or can these "system administrator" messages only be generated when the original mail was sent outbound from Exchange?
thanks for any help!
-Frank.
ExchangeSystemAdmin.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's still not clear to me how to confirm the root cause for these messages, for Exchange 2003.
ASKER
The second is the body of the Exchange System Admin message, the ones that are concerning me.
Based on this additional data does it confirm or deny your hypothesis?
thanks,
-Frank.
OutsideNonDelivery.jpg
ExchangeSystemAdminBody.jpg