Solved

Exchange 2003 SBS - Mail being sent from system by unknown account?

Posted on 2011-03-22
10
731 Views
Last Modified: 2012-05-11
I believe one of our accounts may have been compromised.

I have a user callled "User" that appears to be relaying mail from an IP that is not in our block.

If I look under Exchange System Mgr. > Servers >Protocols>SMTP> Default>Current Sessions

I see an account called User and a from IP of 219.166.3.138 which I have no idea who that is.

How can I tell which account on my side has been compromised?

Thanks,
0
Comment
Question by:tech911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 3

Author Comment

by:tech911
ID: 35192957
Thanks Alan, I will try that and update you later on today.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35192991
No problems - shout if you get stuck - I'm around for about 6 hours still!
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 3

Author Comment

by:tech911
ID: 35193029
In application log seeing alot of 7004 errors.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:

This is an SMTP protocol error log for virtual server ID 1, connection #35565. The remote host "74.208.5.90", responded to the SMTP command "rcpt" with "550 5.1.1 <colinscott@toke.com>... User is unknown {mx-us013}  ". The full command sent was "RCPT TO:<colinscott@toke.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


What does this mean?
0
 
LVL 3

Author Comment

by:tech911
ID: 35193042
Also seeing 7002 errors..

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #35564. The remote host "209.126.213.95", responded to the SMTP command "mail" with "450 4.7.1 Error: too much mail from 74.94.239.233  ". The full command sent was "MAIL FROM:<hi5@hi.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

What does this mean?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193085
Ignore those - they are messages caused by the spam being sent to invalid accounts.

How many users on your domain?

You need to act quickly!

Ideally block outbound port 25 so no more mail can leave your server until you work out which account is compromised, or remove basic & integrated authentication, restart the SMTP service, empty your queues with aqadmcli.exe and then open up port 25 outbound again for your server.
0
 
LVL 3

Author Comment

by:tech911
ID: 35193362
14 Users

25 is closed

Emptying Queues Now
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35193484
Okay - if you don't have any users sending mail to your server via SMTP (or devices / remote servers) using Authentication - then ditch Basic & Integrated Windows Authentication permanently - they are simply not needed.

Make sure you have a solid Password policy in place (as per my 1st blog article):

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Then make sure you changes passwords regularly and review your firewall to remove any open ports that are not needed.

This sort of problem is on the increase sadly.

But help is at hand in the shape of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
LVL 3

Author Comment

by:tech911
ID: 35193817
Appears to have solved the problem.  An account had been compromised.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193823
That's the usual reason!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question