Solved

Exchange 2003 SBS - Mail being sent from system by unknown account?

Posted on 2011-03-22
10
687 Views
Last Modified: 2012-05-11
I believe one of our accounts may have been compromised.

I have a user callled "User" that appears to be relaying mail from an IP that is not in our block.

If I look under Exchange System Mgr. > Servers >Protocols>SMTP> Default>Current Sessions

I see an account called User and a from IP of 219.166.3.138 which I have no idea who that is.

How can I tell which account on my side has been compromised?

Thanks,
0
Comment
Question by:tech911
  • 5
  • 5
10 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35192861
0
 
LVL 3

Author Comment

by:tech911
ID: 35192957
Thanks Alan, I will try that and update you later on today.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35192991
No problems - shout if you get stuck - I'm around for about 6 hours still!
0
 
LVL 3

Author Comment

by:tech911
ID: 35193029
In application log seeing alot of 7004 errors.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:

This is an SMTP protocol error log for virtual server ID 1, connection #35565. The remote host "74.208.5.90", responded to the SMTP command "rcpt" with "550 5.1.1 <colinscott@toke.com>... User is unknown {mx-us013}  ". The full command sent was "RCPT TO:<colinscott@toke.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


What does this mean?
0
 
LVL 3

Author Comment

by:tech911
ID: 35193042
Also seeing 7002 errors..

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #35564. The remote host "209.126.213.95", responded to the SMTP command "mail" with "450 4.7.1 Error: too much mail from 74.94.239.233  ". The full command sent was "MAIL FROM:<hi5@hi.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

What does this mean?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193085
Ignore those - they are messages caused by the spam being sent to invalid accounts.

How many users on your domain?

You need to act quickly!

Ideally block outbound port 25 so no more mail can leave your server until you work out which account is compromised, or remove basic & integrated authentication, restart the SMTP service, empty your queues with aqadmcli.exe and then open up port 25 outbound again for your server.
0
 
LVL 3

Author Comment

by:tech911
ID: 35193362
14 Users

25 is closed

Emptying Queues Now
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35193484
Okay - if you don't have any users sending mail to your server via SMTP (or devices / remote servers) using Authentication - then ditch Basic & Integrated Windows Authentication permanently - they are simply not needed.

Make sure you have a solid Password policy in place (as per my 1st blog article):

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Then make sure you changes passwords regularly and review your firewall to remove any open ports that are not needed.

This sort of problem is on the increase sadly.

But help is at hand in the shape of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
LVL 3

Author Comment

by:tech911
ID: 35193817
Appears to have solved the problem.  An account had been compromised.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193823
That's the usual reason!
0

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now