?
Solved

Exchange server is spamming using a compromised user profile, but I can't find the profile to disable it.

Posted on 2010-11-17
11
Medium Priority
?
1,370 Views
Last Modified: 2012-05-10
I have thousands of messages in my outbound, but I cannot find the account that it is using. My event log has an authentication event for a user that I can not find in the directory. How can I find this user to delete it?


Event Type:	Information
Event Source:	MSExchangeTransport
Event Category:	Authentication 
Event ID:	1708
Date:		11/17/2010
Time:		8:20:54 AM
User:		N/A
Computer:	NTSERVER03
Description:
SMTP Authentication was performed successfully with client "User".  The authentication method was "LOGIN" and the username was "DAYTON_ROGERS\Mike".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
Comment
Question by:leviatdr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 31

Expert Comment

by:Justin Owens
ID: 34155235
Does DAYTON_ROGERS\Mike exist in your AD?
0
 

Author Comment

by:leviatdr
ID: 34155261
No. I can't find it. I've done dsqueries with *mike* and nothing comes back as just mike.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 34155351
Exchange 2003? Do you have relay turned on?  If the account doesn't exist in AD and has no mailbox attached to it AND if your SMTP service required Authentication, you should not be getting this event.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:leviatdr
ID: 34155452
I have relay turned off, except for a few ip's inside the network. In the SMTP virtual server, I have a ton of sessions open for "User" from ip address 41.134.49.202. I think that's my spammer, but I can't find the account they're using. I have other events in the Log:
Event Type:	Information
Event Source:	MSExchangeTransport
Event Category:	Authentication 
Event ID:	1707
Date:		11/17/2010
Time:		8:41:29 AM
User:		N/A
Computer:	NTSERVER03
Description:
An internal EXPS function failed while communicating with "unknown".  "CExchAuthContext::HrServerNegotiateClearTextAuth" called "HrCheckClearTextLogin" which failed with error code 0x80070533 ( f:\tisp2\transmt\src\smtpsink\exps\expslib\authctx.cpp@803 ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 07 80               3..¿

Open in new window

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1058
Date:		11/17/2010
Time:		8:51:38 AM
User:		NT AUTHORITY\SYSTEM
Computer:	NTSERVER03
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DAYTON_ROGERS,DC=LOCAL. The file must be present at the location <\\DAYTON_ROGERS.LOCAL\sysvol\DAYTON_ROGERS.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted. 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

Event Type:	Warning
Event Source:	MSExchangeTransport
Event Category:	Authentication 
Event ID:	1706
Date:		11/17/2010
Time:		8:41:29 AM
User:		N/A
Computer:	NTSERVER03
Description:
EXPS is temporarily unable to provide protocol security with "User".  "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x80070533 ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 07 80               3..¿

Open in new window

0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 34155499
That appears to be an external address coming in from outside.  Do you intentionally allow that hole in your firewall?
0
 

Author Comment

by:leviatdr
ID: 34155627
We have a public email server, so I have SMTP, ActiveSync, and IMAP open.
0
 
LVL 31

Expert Comment

by:Justin Owens
ID: 34155797
You will run into a lot of issues with public email servers.  First, I would make sure you harden it.  For specifics on how to do that, I need to know what version of Exchange you are using.
0
 

Author Comment

by:leviatdr
ID: 34155812
Windows Server 2003, Exchange 2003
0
 
LVL 31

Accepted Solution

by:
Justin Owens earned 2000 total points
ID: 34155865
leviatdr,

This is a four part series on all the steps you need to take to harden your server:

http://www.msexchange.org/tutorials/Hardening-Exchange-Server-2003-Environment-Part1.html

I would suggest reading all four parts before starting anything.  If you have any questions about the whats, hows, or whys, ask them first before you start.

Justin
0
 

Author Comment

by:leviatdr
ID: 34158699
I just ran a fgdump from my server and the mystery Mike account showed up as an object in the file. Besides a "dsquery users" how else can I find this account in the directory?
0
 

Author Closing Comment

by:leviatdr
ID: 34159343
I found the Mike account. It's user logon name differed from it's pre-Windows 2000 name, so I missed it. Thanks for all the help.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month10 days, 1 hour left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question