Exchange 2003, Backup, Logs, SPAM

first things first make sure that the retention periods are lowered so that the mail is dropped in an hour rather than 3 days. This is set on the smtp virtual server.

In the que try to identify where this is orignating from, pc, user etc. Then give the system a full av , malware scan.

I would guess that the mail is being sent out as postmaster @ yourdomain.com. Enable sender filtering and stop postmaster from being able to send email out.

Take it from there, hopefully someone else will be able to assist also.

OK, I see a whole bunch of virtual SMTP domains, but their all empty.  No messages.  How do I delete them and what can I do at this point?  My log is at 6gb for a small office, but looks like it's stabilized this afternoon, because the log really isn't growing.  Now, I'm on a bunch of blacklists.

If you are blacklisted - please read my article that I posted in the comment above and also check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org and see why you are listed.

OK, all the extra virtual SMTP domains are gone.  I didn't do anything except shorten the expiring time.  I am also seeing that the log file is only slightly changed since this afternoon.  Therefore, I think the outgoing SPAM attack has stopped.

Several thoughts and questions:

Our ISP reported a couple of people forwarded emails that our server sent out.  Today's report listed our server as the sender, but also listed a quarantined virus.  My Symantec Endpoint is up to date and found a couple of things (trojan-spy.html.fraud.gen) in our (inbound) SPAM folder.  I have deleted everything in that folder as a precaution.  The ISP said that one report said that we were doing a phishing request.  Does any of this info help to determine what is actually causing the SPAM or it's orgination?  I can't see how EML files which a user never saw could activate a virus.

I have  almost 20gb of logs in my sbs2003.log folder.  I did an Exchange backup last night.  Can't I delete these old files?  What should I do?

Recipient filtering was already turned on.  I enabled maximum authentication logging, but nothing yet is showing up in my Event Viewer.

Thanks again!

Please respond to my last post if possible.

More info:  The logs I am talking about are in c:\program files\exchsrvr\sbs2003.log folder, which is shared.  Circular logging is enabled on the Storage Group.  That setting is in c:\program files\exchsrvr\mdbdata.  There's hardly any space taken up at this location.

Thanks again.

Still investigating:  The sbs2003.log files are message tracking files.  By doing a search, using the message tracker tool, I can see a bunch of different senders, including the postmaster@mydomain.com and other outside addresses, such as accounts@paypal.com.

Is there a way to track what virus, either on my server or on another client may be causing this?

Thank you again for the assistance.

If the senders are Postmaster - that suggests Recipient filtering isn't working or you use a 3rd party for anti-spam filtering and they are not Recipient Filtering.

If the senders are paypal.com then you could either have a local infection or have an authenticated relay going on.

I would change ALL passwords for ALL users as a precaution and restart the SMTP service.

Scan all your computers with something like malwarebytes (www.malwarebytes.org) and remove anything that is found.

A clean anti-virus scan doesn't mean you don't have anything!!

FYI - I am currently on holiday so replies won't be coming back as fast as usual!

The problem seemed to stop over the weekend, but now it's back.  I do not know what to do.

I cleaned everyone in the office with malwarebytes.  I ran virus scans.  We were fine over the weekend.  Postmaster@mycompany and paypal emails keep going out.

Have you read my article yet and increased the logging?

Yes, and I came up GOLDEN!!  Thank you!

Now for the details:

The account is actually a service account used to allow printers to scan to the file server.  How is it possible that this was hacked?  Users do not generally know the username and password to set this up, but all of our scanners user the same domain acct.

Please explain.

I have temporarily disabled the account.  I will change the password on it and re-enable.  Then will have to change all the printer settings.

My blog will explain how (brute force password attack):

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

One way to stop this happening:

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

I do not understand how a brute force attack occurs.  Your article goes into how to stop the spam once it occurs, but how does it attack the firewall and get to the Exchange server?  

I'm just about ready to close this one up, and I thank you for your assistance!

A brute force attack is a user controlling a computer (usually not their own) that has a program on it that is told to try numerous username and password combinations until it finally gets one that fits.  If you have a weak password (one that can be found in a dictionary), then it won't take long to discover a password, plus if the password is a short one, then it also won't take long to crack either.

The stronger and longer your passwords, the less easy they will be to guess by a brute force attack and if you have account lockouts after a few invalid login attempts, then that will also slow down a would-be hacker.

The attack won't attack your firewall - it will find an open port, such as port 25 (SMTP) and then try using an email program (or a program such as telnet) to send millions of login attempts to your server.