Solved

Exchange 2003 SBS - Mail being sent from system by unknown account?

Posted on 2011-03-22
10
726 Views
Last Modified: 2012-05-11
I believe one of our accounts may have been compromised.

I have a user callled "User" that appears to be relaying mail from an IP that is not in our block.

If I look under Exchange System Mgr. > Servers >Protocols>SMTP> Default>Current Sessions

I see an account called User and a from IP of 219.166.3.138 which I have no idea who that is.

How can I tell which account on my side has been compromised?

Thanks,
0
Comment
Question by:tech911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35192861
0
 
LVL 3

Author Comment

by:tech911
ID: 35192957
Thanks Alan, I will try that and update you later on today.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35192991
No problems - shout if you get stuck - I'm around for about 6 hours still!
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Author Comment

by:tech911
ID: 35193029
In application log seeing alot of 7004 errors.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:

This is an SMTP protocol error log for virtual server ID 1, connection #35565. The remote host "74.208.5.90", responded to the SMTP command "rcpt" with "550 5.1.1 <colinscott@toke.com>... User is unknown {mx-us013}  ". The full command sent was "RCPT TO:<colinscott@toke.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


What does this mean?
0
 
LVL 3

Author Comment

by:tech911
ID: 35193042
Also seeing 7002 errors..

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #35564. The remote host "209.126.213.95", responded to the SMTP command "mail" with "450 4.7.1 Error: too much mail from 74.94.239.233  ". The full command sent was "MAIL FROM:<hi5@hi.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

What does this mean?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193085
Ignore those - they are messages caused by the spam being sent to invalid accounts.

How many users on your domain?

You need to act quickly!

Ideally block outbound port 25 so no more mail can leave your server until you work out which account is compromised, or remove basic & integrated authentication, restart the SMTP service, empty your queues with aqadmcli.exe and then open up port 25 outbound again for your server.
0
 
LVL 3

Author Comment

by:tech911
ID: 35193362
14 Users

25 is closed

Emptying Queues Now
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35193484
Okay - if you don't have any users sending mail to your server via SMTP (or devices / remote servers) using Authentication - then ditch Basic & Integrated Windows Authentication permanently - they are simply not needed.

Make sure you have a solid Password policy in place (as per my 1st blog article):

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Then make sure you changes passwords regularly and review your firewall to remove any open ports that are not needed.

This sort of problem is on the increase sadly.

But help is at hand in the shape of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
LVL 3

Author Comment

by:tech911
ID: 35193817
Appears to have solved the problem.  An account had been compromised.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193823
That's the usual reason!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question