Hacked Exchange 2003 server

Posted on 2011-09-12
Last Modified: 2012-05-12
I have a SBS 2003 server and I've got a bunch of messages being sent from a user (which are spam, in chinese...), but I know the user is NOT sending the messages.  I'm assuming it's a virus on a workstation or something, but I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from.

The really weird part, is that I change the user's password.  Also, the emails are originating from the smtp address on their account that ISN'T the primary smtp address.
Question by:noahmehl
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2

Expert Comment

ID: 36521500
Here's what I'd test:

Ccheck that your mail server isn't an open relay,  Google 'open relay tests'.  This type of spam may be 'Back-Scatter' I'd have a look for that too.

Check you have the latest Service Pack for Exchange 2003 (2 I think) as that comes with some Anti-Spam tools.

There'sa good tool for scanning PC's and servers from Trend, Google 'Trend online scan'.  This will scan the LOCAL PC or server for viruses and Malware.

Do you have a centrally installed AV product on your server like Sophos or Mcafee?  Is so, create a new task to scan the network, otherwise you'll have to scan each PC one at a time!

Expert Comment

ID: 36522230
Check if the server is open relay and block port 25 for the computers to only allow your mail server to send mails from your netwerk.
Check also the logs of the firewall to see which computer is trying to send mails and fix the infected computer.

Author Comment

ID: 36522866

These answers are really lame!

First of all, my server is not an open smtp relay!

Secondly, Exchange if fully updated.

Third, I have Kaspersky Enterprise Space Security Installed on every workstation and server, all reporting to a central Kaspersky Administration Console.  No workstation or Server has a virus/worm/etc that's been found so far.

Finally, even if all of this is true, I'm asking how to find in the Exchange logs, where the originating IP address is?  I've looked through the message tracking, but I can't seem to find that kind of detail anywhere.  Anyone?


SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.


Assisted Solution

noahmehl earned 0 total points
ID: 36523184
Attached is a message tracking window for one of the spam messages:  Spam Message
Also attached is a legitimate message from the same account:  Legitimate Message
The legitimate message was sent with Outlook 2003.  I've noticed that the "SMTP: Store Driver; Message Submitted from Store" is missing from the spam message.  I'm now thinking that the spam messages then didn't originate from any of the workstations.  What I want to know is all of the ways that the "Store Driver" event wouldn't happen.  I'm thinking that either this is a web based, or local to the exchange server problem.

On the other hand, manually changing the user's passwords seems to have stop the problem.  But I want to be able to tell where the messages came from in the first place.

Also, the Message History doesn't tell me anything about the message.  Like where is originated from, what the contents were, etc...

Expert Comment

ID: 36523201
'Wow, these answers are really lame!' Best of luck solving this by yourself from now on Noah.

Author Comment

ID: 36523231
Well, icuadmin, I'm expecting more since I pay money for this site.  Plus your tone sucked.  It becomes insulting when you ask if the server is an open relay.  I thought this was a site for professionals...

Author Comment

ID: 36523243
Also, you didn't answer my original question: "...I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from."

Accepted Solution

noahmehl earned 0 total points
ID: 36523357
Anyways, I figured it out.  Apparently, the actual message tracking .log has client-ip information in it.  A hacker in China figured out the password for a user, and probably was using authenticated smtp relay.  Changing the user's password to something strong solved the problem.

Author Closing Comment

ID: 36553456
Apparently, Google was much more useful in this case...

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question