[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Exchange 2003, Backup, Logs, SPAM

Posted on 2011-02-18
16
Medium Priority
?
340 Views
Last Modified: 2012-05-11
I have a VM of SBS2003 server whose hard drive is filling up very quickly.  I have added more HD space and looked around.

The Exchange logs are not being flushed out.  That's because there hadn't been a backup in some time.  So I did that last night and the logs didn't clear.

I noticed that this morning some more space was eaten up and I started refreshing -- the log was filling up FAST.

So I looked at the Exchange queues and to my horror, there it was SPAM.  Now, I locked down that server before and we hadn't had a problem for about 3 years.

The server is going to run out of space and go down again if I can't clear up space.

What do I do?  It's these logs for sure -- I have several multi-gb sized files.  Try to rerun the backup?  Delete old files?  How do I quickly stop the SPAM?


Please assist.  Thank you.

0
Comment
Question by:svillardi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 6
16 Comments
 
LVL 5

Expert Comment

by:zippybungle2003
ID: 34926063
first things first make sure that the retention periods are lowered so that the mail is dropped in an hour rather than 3 days. This is set on the smtp virtual server.

In the que try to identify where this is orignating from, pc, user etc. Then give the system a full av , malware scan.

I would guess that the mail is being sent out as postmaster @ yourdomain.com. Enable sender filtering and stop postmaster from being able to send email out.

Take it from there, hopefully someone else will be able to assist also.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 34927322
0
 

Author Comment

by:svillardi
ID: 34929142
OK, I see a whole bunch of virtual SMTP domains, but their all empty.  No messages.  How do I delete them and what can I do at this point?  My log is at 6gb for a small office, but looks like it's stabilized this afternoon, because the log really isn't growing.  Now, I'm on a bunch of blacklists.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34929381
If you are blacklisted - please read my article that I posted in the comment above and also check on www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org and see why you are listed.
0
 

Author Comment

by:svillardi
ID: 34930507
OK, all the extra virtual SMTP domains are gone.  I didn't do anything except shorten the expiring time.  I am also seeing that the log file is only slightly changed since this afternoon.  Therefore, I think the outgoing SPAM attack has stopped.

Several thoughts and questions:

Our ISP reported a couple of people forwarded emails that our server sent out.  Today's report listed our server as the sender, but also listed a quarantined virus.  My Symantec Endpoint is up to date and found a couple of things (trojan-spy.html.fraud.gen) in our (inbound) SPAM folder.  I have deleted everything in that folder as a precaution.  The ISP said that one report said that we were doing a phishing request.  Does any of this info help to determine what is actually causing the SPAM or it's orgination?  I can't see how EML files which a user never saw could activate a virus.

I have  almost 20gb of logs in my sbs2003.log folder.  I did an Exchange backup last night.  Can't I delete these old files?  What should I do?

Recipient filtering was already turned on.  I enabled maximum authentication logging, but nothing yet is showing up in my Event Viewer.

Thanks again!
0
 

Author Comment

by:svillardi
ID: 34931356
Please respond to my last post if possible.
0
 

Author Comment

by:svillardi
ID: 34931387
More info:  The logs I am talking about are in c:\program files\exchsrvr\sbs2003.log folder, which is shared.  Circular logging is enabled on the Storage Group.  That setting is in c:\program files\exchsrvr\mdbdata.  There's hardly any space taken up at this location.

Thanks again.
0
 

Author Comment

by:svillardi
ID: 34931576
Still investigating:  The sbs2003.log files are message tracking files.  By doing a search, using the message tracker tool, I can see a bunch of different senders, including the postmaster@mydomain.com and other outside addresses, such as accounts@paypal.com.

Is there a way to track what virus, either on my server or on another client may be causing this?

Thank you again for the assistance.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34932356
If the senders are Postmaster - that suggests Recipient filtering isn't working or you use a 3rd party for anti-spam filtering and they are not Recipient Filtering.

If the senders are paypal.com then you could either have a local infection or have an authenticated relay going on.

I would change ALL passwords for ALL users as a precaution and restart the SMTP service.

Scan all your computers with something like malwarebytes (www.malwarebytes.org) and remove anything that is found.

A clean anti-virus scan doesn't mean you don't have anything!!

FYI - I am currently on holiday so replies won't be coming back as fast as usual!
0
 

Author Comment

by:svillardi
ID: 34942234
The problem seemed to stop over the weekend, but now it's back.  I do not know what to do.
0
 

Author Comment

by:svillardi
ID: 34942245
I cleaned everyone in the office with malwarebytes.  I ran virus scans.  We were fine over the weekend.  Postmaster@mycompany and paypal emails keep going out.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34942743
Have you read my article yet and increased the logging?
0
 

Author Comment

by:svillardi
ID: 34944856
Yes, and I came up GOLDEN!!  Thank you!

Now for the details:

The account is actually a service account used to allow printers to scan to the file server.  How is it possible that this was hacked?  Users do not generally know the username and password to set this up, but all of our scanners user the same domain acct.

Please explain.

I have temporarily disabled the account.  I will change the password on it and re-enable.  Then will have to change all the printer settings.
0
 

Author Comment

by:svillardi
ID: 34994292
I do not understand how a brute force attack occurs.  Your article goes into how to stop the spam once it occurs, but how does it attack the firewall and get to the Exchange server?  

I'm just about ready to close this one up, and I thank you for your assistance!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34995768
A brute force attack is a user controlling a computer (usually not their own) that has a program on it that is told to try numerous username and password combinations until it finally gets one that fits.  If you have a weak password (one that can be found in a dictionary), then it won't take long to discover a password, plus if the password is a short one, then it also won't take long to crack either.

The stronger and longer your passwords, the less easy they will be to guess by a brute force attack and if you have account lockouts after a few invalid login attempts, then that will also slow down a would-be hacker.

The attack won't attack your firewall - it will find an open port, such as port 25 (SMTP) and then try using an email program (or a program such as telnet) to send millions of login attempts to your server.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to eā€¦
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificatesā€¦
This video discusses moving either the default database or any database to a new volume.

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question