Directory Harvest Attack

install antispam in exchange server, setup spf recotd for your domain in public dns server, enable sender ID on antispam properties

Install Vamsoft ORF - www.vamsoft.com - 30 day trial - $239 if you decide to buy it.  It will block DHA simply and quickly.

Question is - if people are guessing your user names and they are wrong and you have Recipient Filtering enabled, there should be nothing in the queues.
Sounds like you have a different problem and need to identify the issue.
Who are the senders? Random users or postmaster?
If they are random users - you probably have an authenticated attack, which means you have an account whose password has been breached and that is why the mail is coming in in floods.
Vamsoft will help you to identify the problem. What version of Exchange have you got?

Hey alanhardisty,

the senders seem to be random and they're also seem to be a lot sent by postmaster. I think you could be right about the authenticated attack.

I downloaded and installed vamsoft and we have microsoft exchange 2003

Please have a read of my article for useful info:
https://www.experts-exchange.com/articles/Software/Server_Software/Email_Servers/Exchange/Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html 

Hey Alan,

The article was awesome and very easy to follow. I’m still experiencing the same issue however. The queues on MX 2003 are filling up faster than I can delete them (the aqadmcli is a nifty program btw). I’ve made sure recipient filtering is on and I’ve downloaded and installed the ORF spam filter. I checked to see whether we were an open relay, but the only exception in the list was the IP of the mail server itself. I then checked to see if an authenticated user was relaying. I followed the steps and when I clicked on the application log in the event viewer I saw several of these:

Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 30/08/2004
Time: 15:45:08
User: N/A
Computer: EXCH-SRV1
Description: SMTP Authentication was performed successfully with client test-pc1. The authentication method was LOGIN and the username was domain\username.

When I clicked on them to get a description the only email addresses I saw were a crazy series of letters and numbers followed by @(our domain).

Also, something that may be of note. When I go to “current sessions” I will often find a couple of users who I don’t recognize in there and then I will terminate them. Is there anything else I can do to try and stop all of this spam going out?

Thanks again for getting me this far.

Although i should add the Event ID in the application log was not a 1708 it was mostly 7004 with some 7002's and 257's.

Random senders indicate an abused account on your server.
How many users do you have on the server?  If only a handful - change ALL the passwords.  If lots, then we need to track down the user.
Use the Vamsoft Logs and filter on the Class = Whitelist | Filtering Point = On Arrival | Message = Authenticated Session
That should show up the authenticated emails.  If you look in the logs now at the Sender and Recipient columns, you should probably see a sender that is spewing out mail with the same address.
Check the start time of the first message and then cross-reference the Security logs on the server for the account that was used if not shown in Vamsoft.

Thanks, I created the filter above and what i get is that one sender a wazirirfcce@live.com is sending mail to a ton of random addresses. Does not look like a sender on our network is the source. Question: when i look at the queues for the outgoing mail, should there be a ton of folders all with things like live.com, alltel.net, attbi.net, etc. etc?? Because there are around a 1000 folders all with names like that.

If you tell your users to stop sending mail, change your SMTP connector, add a Smarthost of [99.99.99.99], set the domain scope to * - then all mail will try to send down a single queue and won't go anywhere.
Then set your Mail timeout to be 3 minutes for all settings on the SMTP virtual server (note down settings before changing them) and that will timout all the mail very quickly.
Ignore the sender of the mail.  Look at Vamsoft and see the start of the flood.  Check the date / time and then cross reference it to the security log.  That should identify a user account.
Change the password to the user account and restart SMTP service.
New spam should stop, existing spam will timout, then put everything back how it was, consider stronger password security and force password changes regularly if not already in force.

Gotcha - i will give that a go. The only thing i'm unclear about is the security Log. I'll search for it, where would i find that, is it on the mail server? Sorry, again... new to this and thanks again for the help

nevermind, found it

You found the account in the log or the log?

I think i found them and there is more than one - will change those passwords. Also, there was no SMTP connector, so i created one. Does that sound right. I expanded Routing Groups>(our domain)>connectors

Yes - that's fine to create one.
Good news - sounds like you are making good progress.
Make sure you set strong passwords and once done - restart the Simple Mail Transfer Protocol Service.

I found the times of the deliquent spammer and matched them to the times from the security log

You have to love Vamsoft : )

yea - they make it easy. Thanks for all your help, i'm just going to make sure that i can smoothly change passwords without screwing anything up for that group of staffers. Then hopefully that will take care of things. I should probably go ahead and change everyone's password while i'm at it

All 200 - could be a while, but not a bad idea.
You can force a strong policy, force changes every 30 days, and then force change at next logon and then you don't have to change them all - they get to do it.
The queue will take a while to empty but once clear, set the SMTP Connector back to DNS and the SMTP Message timeouts back to whatever they were before.
Then make sure you are not Blacklisted on www.mxtoolbox.com/aspx and request de-listing from them all.  If you are on Tiopan - ignore them - you will drop off after a week and the same for SORBS.

Gotcha will do - will it have been enough for me to see all the times on the vamsoft logs and then cross list the times of the spam with the security log without changing hte smtp connector? because my esm froze on me and i didn't complete that step properly. In the security log i see tons and tons of hits every minute - an assortment of users and a lot of SYSTEM as the user, i hope that's not a bad thing. Thanks again for all the trouble shooting hopefully this spam will stop flooding in pretty soon, once i change a few accounts.

Nope not at all, can't ask anymore - just gonna continue to try to get control of it. Thanks yet again

Thanks - I'll be here if you need me for anything.
Appreciate the points.
Keep lots of coffee to hand : )