Exchange 2003, Backup, Logs, SPAM

I have a VM of SBS2003 server whose hard drive is filling up very quickly.  I have added more HD space and looked around.

The Exchange logs are not being flushed out.  That's because there hadn't been a backup in some time.  So I did that last night and the logs didn't clear.

I noticed that this morning some more space was eaten up and I started refreshing -- the log was filling up FAST.

So I looked at the Exchange queues and to my horror, there it was SPAM.  Now, I locked down that server before and we hadn't had a problem for about 3 years.

The server is going to run out of space and go down again if I can't clear up space.

What do I do?  It's these logs for sure -- I have several multi-gb sized files.  Try to rerun the backup?  Delete old files?  How do I quickly stop the SPAM?


Please assist.  Thank you.

svillardiAsked:
Who is Participating?
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
0
 
zippybungle2003Commented:
first things first make sure that the retention periods are lowered so that the mail is dropped in an hour rather than 3 days. This is set on the smtp virtual server.

In the que try to identify where this is orignating from, pc, user etc. Then give the system a full av , malware scan.

I would guess that the mail is being sent out as postmaster @ yourdomain.com. Enable sender filtering and stop postmaster from being able to send email out.

Take it from there, hopefully someone else will be able to assist also.
0
 
svillardiAuthor Commented:
OK, I see a whole bunch of virtual SMTP domains, but their all empty.  No messages.  How do I delete them and what can I do at this point?  My log is at 6gb for a small office, but looks like it's stabilized this afternoon, because the log really isn't growing.  Now, I'm on a bunch of blacklists.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Alan HardistyCo-OwnerCommented:
If you are blacklisted - please read my article that I posted in the comment above and also check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org and see why you are listed.
0
 
svillardiAuthor Commented:
OK, all the extra virtual SMTP domains are gone.  I didn't do anything except shorten the expiring time.  I am also seeing that the log file is only slightly changed since this afternoon.  Therefore, I think the outgoing SPAM attack has stopped.

Several thoughts and questions:

Our ISP reported a couple of people forwarded emails that our server sent out.  Today's report listed our server as the sender, but also listed a quarantined virus.  My Symantec Endpoint is up to date and found a couple of things (trojan-spy.html.fraud.gen) in our (inbound) SPAM folder.  I have deleted everything in that folder as a precaution.  The ISP said that one report said that we were doing a phishing request.  Does any of this info help to determine what is actually causing the SPAM or it's orgination?  I can't see how EML files which a user never saw could activate a virus.

I have  almost 20gb of logs in my sbs2003.log folder.  I did an Exchange backup last night.  Can't I delete these old files?  What should I do?

Recipient filtering was already turned on.  I enabled maximum authentication logging, but nothing yet is showing up in my Event Viewer.

Thanks again!
0
 
svillardiAuthor Commented:
Please respond to my last post if possible.
0
 
svillardiAuthor Commented:
More info:  The logs I am talking about are in c:\program files\exchsrvr\sbs2003.log folder, which is shared.  Circular logging is enabled on the Storage Group.  That setting is in c:\program files\exchsrvr\mdbdata.  There's hardly any space taken up at this location.

Thanks again.
0
 
svillardiAuthor Commented:
Still investigating:  The sbs2003.log files are message tracking files.  By doing a search, using the message tracker tool, I can see a bunch of different senders, including the postmaster@mydomain.com and other outside addresses, such as accounts@paypal.com.

Is there a way to track what virus, either on my server or on another client may be causing this?

Thank you again for the assistance.
0
 
Alan HardistyCo-OwnerCommented:
If the senders are Postmaster - that suggests Recipient filtering isn't working or you use a 3rd party for anti-spam filtering and they are not Recipient Filtering.

If the senders are paypal.com then you could either have a local infection or have an authenticated relay going on.

I would change ALL passwords for ALL users as a precaution and restart the SMTP service.

Scan all your computers with something like malwarebytes (www.malwarebytes.org) and remove anything that is found.

A clean anti-virus scan doesn't mean you don't have anything!!

FYI - I am currently on holiday so replies won't be coming back as fast as usual!
0
 
svillardiAuthor Commented:
The problem seemed to stop over the weekend, but now it's back.  I do not know what to do.
0
 
svillardiAuthor Commented:
I cleaned everyone in the office with malwarebytes.  I ran virus scans.  We were fine over the weekend.  Postmaster@mycompany and paypal emails keep going out.
0
 
Alan HardistyCo-OwnerCommented:
Have you read my article yet and increased the logging?
0
 
svillardiAuthor Commented:
Yes, and I came up GOLDEN!!  Thank you!

Now for the details:

The account is actually a service account used to allow printers to scan to the file server.  How is it possible that this was hacked?  Users do not generally know the username and password to set this up, but all of our scanners user the same domain acct.

Please explain.

I have temporarily disabled the account.  I will change the password on it and re-enable.  Then will have to change all the printer settings.
0
 
svillardiAuthor Commented:
I do not understand how a brute force attack occurs.  Your article goes into how to stop the spam once it occurs, but how does it attack the firewall and get to the Exchange server?  

I'm just about ready to close this one up, and I thank you for your assistance!
0
 
Alan HardistyCo-OwnerCommented:
A brute force attack is a user controlling a computer (usually not their own) that has a program on it that is told to try numerous username and password combinations until it finally gets one that fits.  If you have a weak password (one that can be found in a dictionary), then it won't take long to discover a password, plus if the password is a short one, then it also won't take long to crack either.

The stronger and longer your passwords, the less easy they will be to guess by a brute force attack and if you have account lockouts after a few invalid login attempts, then that will also slow down a would-be hacker.

The attack won't attack your firewall - it will find an open port, such as port 25 (SMTP) and then try using an email program (or a program such as telnet) to send millions of login attempts to your server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.