Windows SBS 2003 - Exchange Hijacked??

Posted on 2011-05-09
Last Modified: 2012-05-11
One of my clients SBS 2003 servers is what I believe to be hijacked.  At 3am this morning, event log errors began firing away and the exchange manager queue is jam packed with what looks like tons of spam messages.  The number is growing at an exponential rate and I have no idea how to stop it and stop the hijack process.  I also need some assistance in blowing away the queue.  I do not want to go one by one and delete because that would just take hours upon hours.  Any help here is greatly appreciated. eventlog.pdf malwarebytes-quickscanrtf.pdf
Question by:PCNNY
    LVL 13

    Accepted Solution

    Three main possiblities:

    1. You're running an open relay. There are many relay testers. Here's one I've used many times:

    2. One or more of your user's password have been compromised. Many systems are configured to allow for relaying if the user authenicate prior to sending via SMTP. So have all users change their passwords. The easy way it to use the SBS password policy wizard. It marks non-admin passwords so they will need to be changed upon the next logon. Also double check you guest account isn't enabled. It's an easy target for this type of attack.

    3. One of more of your systems has been infected and is generating the SPAM. Run anti-virus / anti-malware scans on all systems.

    Note I've listed these in the order I recommend you check them. Once you're not getting more new SPAM messages in the queue you can then clean the queues of the "garbage". Also note your mail server may get blacklisted due to the SPAM so watch for it too. This is a good site for blacklist checking: There are several checkers out there. Just search "blacklist check" via any search engine.


    LVL 34

    Expert Comment

    by:Shreedhar Ette
    LVL 9

    Assisted Solution

    As an addition to the above I would turn off port 25 on your firewall instantly.
    And disable any exchange connectors.
    Ive cleaned up numerous clients who have being hit by an NDR attack.
    You may well NOT be an NDR victim and as such you should follow the above advise.
    However with ref to cleaning up your queues which can be a very very very labourious mundane task use the following tool which will quickly clean your queue for you.

    It quickly runs through deleting all the spam email in your queue saving you doing it manually.
    When it finishes just use the up arrow on the k/board to paste the command back in and keep running it numerous times until it cannot find any more spam to delete.
    LVL 8

    Expert Comment

    by:I Qasmi
    1) First stop the SMTP service.

    2) Open the Properties of the Default SMTP Virtual server

    3) Go to Messages and find the Queue directory path for example :
    C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue

    4) Open My Computer and go to C:\Program Files\Exchsrvr\Mailroot and rename the vsi 1 folder
    (Make sure that the smtp service is stopped)

    5) Open Default SMTP Virtual Server  Properties >General >Advanced
    Click Edit an enable Apply Intelligent Message Filter and Press OK

    6) Go to Global settings > Message Delivery Properties >Sender Filtering
    adjust the settings over there and add the suspected mail id through which mails are received
    Also Recepient Filtering According to your needs

    7) Restart the SMTP service will create a new C:\Program Files\Exchsrvr\Mailroot\vsi 1 folder
    Now Check the queues for mails stucked

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now