?
Solved

Exchange 2003 SBS - Mail being sent from system by unknown account?

Posted on 2011-03-22
10
Medium Priority
?
743 Views
Last Modified: 2012-05-11
I believe one of our accounts may have been compromised.

I have a user callled "User" that appears to be relaying mail from an IP that is not in our block.

If I look under Exchange System Mgr. > Servers >Protocols>SMTP> Default>Current Sessions

I see an account called User and a from IP of 219.166.3.138 which I have no idea who that is.

How can I tell which account on my side has been compromised?

Thanks,
0
Comment
Question by:tech911
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 3

Author Comment

by:tech911
ID: 35192957
Thanks Alan, I will try that and update you later on today.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35192991
No problems - shout if you get stuck - I'm around for about 6 hours still!
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 3

Author Comment

by:tech911
ID: 35193029
In application log seeing alot of 7004 errors.

Event Type:      Error
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7004
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:

This is an SMTP protocol error log for virtual server ID 1, connection #35565. The remote host "74.208.5.90", responded to the SMTP command "rcpt" with "550 5.1.1 <colinscott@toke.com>... User is unknown {mx-us013}  ". The full command sent was "RCPT TO:<colinscott@toke.com>  ".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


What does this mean?
0
 
LVL 3

Author Comment

by:tech911
ID: 35193042
Also seeing 7002 errors..

Event Type:      Warning
Event Source:      MSExchangeTransport
Event Category:      SMTP Protocol
Event ID:      7002
Date:            3/22/2011
Time:            3:17:26 PM
User:            N/A
Computer:      SGB-FILE-SRV
Description:
This is an SMTP protocol warning log for virtual server ID 1, connection #35564. The remote host "209.126.213.95", responded to the SMTP command "mail" with "450 4.7.1 Error: too much mail from 74.94.239.233  ". The full command sent was "MAIL FROM:<hi5@hi.com>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.

What does this mean?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193085
Ignore those - they are messages caused by the spam being sent to invalid accounts.

How many users on your domain?

You need to act quickly!

Ideally block outbound port 25 so no more mail can leave your server until you work out which account is compromised, or remove basic & integrated authentication, restart the SMTP service, empty your queues with aqadmcli.exe and then open up port 25 outbound again for your server.
0
 
LVL 3

Author Comment

by:tech911
ID: 35193362
14 Users

25 is closed

Emptying Queues Now
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 35193484
Okay - if you don't have any users sending mail to your server via SMTP (or devices / remote servers) using Authentication - then ditch Basic & Integrated Windows Authentication permanently - they are simply not needed.

Make sure you have a solid Password policy in place (as per my 1st blog article):

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

Then make sure you changes passwords regularly and review your firewall to remove any open ports that are not needed.

This sort of problem is on the increase sadly.

But help is at hand in the shape of my article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html
0
 
LVL 3

Author Comment

by:tech911
ID: 35193817
Appears to have solved the problem.  An account had been compromised.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35193823
That's the usual reason!
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
One-stop solution for Exchange Administrators to address all MS Exchange Server issues, which is known by the name of Stellar Exchange Toolkit.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question