Worst Nightmare : Internal SMTP server compromised - sending spam - now blacklisted

Please post, but realize I shut down my inbound mail for the time being.

I have and Exchange FE/BE setup.  My FE is inbound mail only until today(or yesterday) it has been compromised and is sending out THOUSANDS of spam as Mike Morris <secretshopper@gmail.com>

I suspect a PC compromise found my SMTP server and is sending off it.  I have 1000+ messages queued with my outbound mail currently disabled.

My IP has been blacklisted by SORBS and Barracuda.   I have scanned my network with ESET NOD 32 v4.2 to no avail.  

I need help determining the potential source.

If you can help please send a note to buffsr1 at gmail dot com
Who is Participating?
TumacLumberConnect With a Mentor Author Commented:
Shut everything down on my network and disconnected ALL my VPN's.  

Only thing up are my 2 Exchange servers , my PC and a domain controller.

My external IP passes all relay tests I have tried.  Yet this a-hole is able to relay off my server.  Why I didn't check connections first is beyond me, but I assumed since my relay was locked down it must be an internal trojan relaying off my internal SMTP.

Blocking IP in firewall for now but would like help understanding why this guy can relay when the test say no relay.

   POS Spammer
Easy fix is to turn open relay off.. Why would you have open relay active?
You can lock it by account or lock it by IP if you need relay but open is not best practices and ends with what you have.
TumacLumberAuthor Commented:
It is not open to the outside world.  It may have been open internally which is why I think it may be a internal source that found it.   That still doesn't help me determine the source of the connections.

After disabling outbound mail on the server, if I open the messages in the queue folder.  The source IP is a public IP.  Can this be spoofed internally?  I have run my public IP against several open relay tests and they all pass.

Since everyone is going home, and I am lucky we are smaller.  I have shut all the PCs down and ita ppears to have stopped.  Now I get to start 1 by 1.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

TumacLumberAuthor Commented:
Sorry stopped because I disabled internal relay.

All devices except ecxhange servers and PCs shut down.  Still happening.  Need to determine if it is coming from outside or another location.......
TumacLumberConnect With a Mentor Author Commented:
Header of outgoing spam


Received: from User ([]) by mydomain.com with Microsoft SMTPSVC(6.0.3790.4675);
       Wed, 23 Mar 2011 07:59:17 -0700
Reply-To: <mikemorrm@aol.com>
From: "Mike Morris"<shopperupdates@gmail.com>
Date: Wed, 23 Mar 2011 14:56:09 -0000
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Return-Path: shopperupdates@gmail.com
Message-ID: <EX2oVNkEcjVtwxYi2zQ000008b6@mydomain.com>
X-OriginalArrivalTime: 23 Mar 2011 14:59:17.0810 (UTC) FILETIME=[E206E920:01CBE96A]

TumacLumberAuthor Commented:
Looked for help on how spammer got around closed relay from outside and go no responses.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.