Exchange server is spamming using a compromised user profile, but I can't find the profile to disable it.
I have thousands of messages in my outbound, but I cannot find the account that it is using. My event log has an authentication event for a user that I can not find in the directory. How can I find this user to delete it?
Event Type: Information
Event Source: MSExchangeTransport
Event Category: Authentication
Event ID: 1708
Date: 11/17/2010
Time: 8:20:54 AM
User: N/A
Computer: NTSERVER03
Description:
SMTP Authentication was performed successfully with client "User". The authentication method was "LOGIN" and the username was "DAYTON_ROGERS\Mike".
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Justin Owens
Does DAYTON_ROGERS\Mike exist in your AD?
ASKER
No. I can't find it. I've done dsqueries with *mike* and nothing comes back as just mike.
Exchange 2003? Do you have relay turned on? If the account doesn't exist in AD and has no mailbox attached to it AND if your SMTP service required Authentication, you should not be getting this event.
ASKER
I have relay turned off, except for a few ip's inside the network. In the SMTP virtual server, I have a ton of sessions open for "User" from ip address 41.134.49.202. I think that's my spammer, but I can't find the account they're using. I have other events in the Log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: Authentication
Event ID: 1707
Date: 11/17/2010
Time: 8:41:29 AM
User: N/A
Computer: NTSERVER03
Description:
An internal EXPS function failed while communicating with "unknown". "CExchAuthContext::HrServerNegotiateClearTextAuth" called "HrCheckClearTextLogin" which failed with error code 0x80070533 ( f:\tisp2\transmt\src\smtpsink\exps\expslib\authctx.cpp@803 ).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 07 80 3..¿
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 11/17/2010
Time: 8:51:38 AM
User: NT AUTHORITY\SYSTEM
Computer: NTSERVER03
Description:
Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=DAYTON_ROGERS,DC=LOCAL. The file must be present at the location <\\DAYTON_ROGERS.LOCAL\sysvol\DAYTON_ROGERS.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: MSExchangeTransport
Event Category: Authentication
Event ID: 1706
Date: 11/17/2010
Time: 8:41:29 AM
User: N/A
Computer: NTSERVER03
Description:
EXPS is temporarily unable to provide protocol security with "User". "CSessionContext::OnEXPSInNegotiate" called "HrServerNegotiateAuth" which failed with error code 0x80070533 ( f:\tisp2\transmt\src\smtpsink\exps\expslib\context.cpp@1799 ).
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 33 05 07 80 3..¿
That appears to be an external address coming in from outside. Do you intentionally allow that hole in your firewall?
ASKER
We have a public email server, so I have SMTP, ActiveSync, and IMAP open.
You will run into a lot of issues with public email servers. First, I would make sure you harden it. For specifics on how to do that, I need to know what version of Exchange you are using.
ASKER
Windows Server 2003, Exchange 2003
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just ran a fgdump from my server and the mystery Mike account showed up as an object in the file. Besides a "dsquery users" how else can I find this account in the directory?
ASKER
I found the Mike account. It's user logon name differed from it's pre-Windows 2000 name, so I missed it. Thanks for all the help.