Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Hacked Exchange 2003 server

Posted on 2011-09-12
Medium Priority
Last Modified: 2012-05-12
I have a SBS 2003 server and I've got a bunch of messages being sent from a user (which are spam, in chinese...), but I know the user is NOT sending the messages.  I'm assuming it's a virus on a workstation or something, but I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from.

The really weird part, is that I change the user's password.  Also, the emails are originating from the smtp address on their account that ISN'T the primary smtp address.
Question by:noahmehl
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2

Expert Comment

ID: 36521500
Here's what I'd test:

Ccheck that your mail server isn't an open relay,  Google 'open relay tests'.  This type of spam may be 'Back-Scatter' I'd have a look for that too.

Check you have the latest Service Pack for Exchange 2003 (2 I think) as that comes with some Anti-Spam tools.

There'sa good tool for scanning PC's and servers from Trend, Google 'Trend online scan'.  This will scan the LOCAL PC or server for viruses and Malware.

Do you have a centrally installed AV product on your server like Sophos or Mcafee?  Is so, create a new task to scan the network, otherwise you'll have to scan each PC one at a time!

Expert Comment

ID: 36522230
Check if the server is open relay and block port 25 for the computers to only allow your mail server to send mails from your netwerk.
Check also the logs of the firewall to see which computer is trying to send mails and fix the infected computer.

Author Comment

ID: 36522866

These answers are really lame!

First of all, my server is not an open smtp relay!

Secondly, Exchange if fully updated.

Third, I have Kaspersky Enterprise Space Security Installed on every workstation and server, all reporting to a central Kaspersky Administration Console.  No workstation or Server has a virus/worm/etc that's been found so far.

Finally, even if all of this is true, I'm asking how to find in the Exchange logs, where the originating IP address is?  I've looked through the message tracking, but I can't seem to find that kind of detail anywhere.  Anyone?


NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Assisted Solution

noahmehl earned 0 total points
ID: 36523184
Attached is a message tracking window for one of the spam messages:  Spam Message
Also attached is a legitimate message from the same account:  Legitimate Message
The legitimate message was sent with Outlook 2003.  I've noticed that the "SMTP: Store Driver; Message Submitted from Store" is missing from the spam message.  I'm now thinking that the spam messages then didn't originate from any of the workstations.  What I want to know is all of the ways that the "Store Driver" event wouldn't happen.  I'm thinking that either this is a web based, or local to the exchange server problem.

On the other hand, manually changing the user's passwords seems to have stop the problem.  But I want to be able to tell where the messages came from in the first place.

Also, the Message History doesn't tell me anything about the message.  Like where is originated from, what the contents were, etc...

Expert Comment

ID: 36523201
'Wow, these answers are really lame!' Best of luck solving this by yourself from now on Noah.

Author Comment

ID: 36523231
Well, icuadmin, I'm expecting more since I pay money for this site.  Plus your tone sucked.  It becomes insulting when you ask if the server is an open relay.  I thought this was a site for professionals...

Author Comment

ID: 36523243
Also, you didn't answer my original question: "...I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from."

Accepted Solution

noahmehl earned 0 total points
ID: 36523357
Anyways, I figured it out.  Apparently, the actual message tracking .log has client-ip information in it.  A hacker in China figured out the password for a user, and probably was using authenticated smtp relay.  Changing the user's password to something strong solved the problem.

Author Closing Comment

ID: 36553456
Apparently, Google was much more useful in this case...

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question