Exchange 2003 SBS - Mail being sent from system by unknown account?

I believe one of our accounts may have been compromised.

I have a user callled "User" that appears to be relaying mail from an IP that is not in our block.

If I look under Exchange System Mgr. > Servers >Protocols>SMTP> Default>Current Sessions

I see an account called User and a from IP of 219.166.3.138 which I have no idea who that is.

How can I tell which account on my side has been compromised?

Thanks,
LVL 3
tech911Asked:
Who is Participating?
 
Alan HardistyConnect With a Mentor Co-OwnerCommented:
Okay - if you don't have any users sending mail to your server via SMTP (or devices / remote servers) using Authentication - then ditch Basic & Integrated Windows Authentication permanently - they are simply not needed.

Make sure you have a solid Password policy in place (as per my 1st blog article):

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Then make sure you changes passwords regularly and review your firewall to remove any open ports that are not needed.

This sort of problem is on the increase sadly.

But help is at hand in the shape of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
tech911Author Commented:
Thanks Alan, I will try that and update you later on today.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Alan HardistyCo-OwnerCommented:
No problems - shout if you get stuck - I'm around for about 6 hours still!
0
 
tech911Author Commented:
In application log seeing alot of 7004 errors.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:

This is an SMTP protocol error log for virtual server ID 1, connection #35565. The remote host "74.208.5.90", responded to the SMTP command "rcpt" with "550 5.1.1 <colinscott@toke.com>... User is unknown {mx-us013}  ". The full command sent was "RCPT TO:<colinscott@toke.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


What does this mean?
0
 
tech911Author Commented:
Also seeing 7002 errors..

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #35564. The remote host "209.126.213.95", responded to the SMTP command "mail" with "450 4.7.1 Error: too much mail from 74.94.239.233  ". The full command sent was "MAIL FROM:<hi5@hi.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

What does this mean?
0
 
Alan HardistyCo-OwnerCommented:
Ignore those - they are messages caused by the spam being sent to invalid accounts.

How many users on your domain?

You need to act quickly!

Ideally block outbound port 25 so no more mail can leave your server until you work out which account is compromised, or remove basic & integrated authentication, restart the SMTP service, empty your queues with aqadmcli.exe and then open up port 25 outbound again for your server.
0
 
tech911Author Commented:
14 Users

25 is closed

Emptying Queues Now
0
 
tech911Author Commented:
Appears to have solved the problem.  An account had been compromised.
0
 
Alan HardistyCo-OwnerCommented:
That's the usual reason!
0
All Courses

From novice to tech pro — start learning today.