Hacked Exchange 2003 server

Posted on 2011-09-12
Last Modified: 2012-05-12
I have a SBS 2003 server and I've got a bunch of messages being sent from a user (which are spam, in chinese...), but I know the user is NOT sending the messages.  I'm assuming it's a virus on a workstation or something, but I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from.

The really weird part, is that I change the user's password.  Also, the emails are originating from the smtp address on their account that ISN'T the primary smtp address.
Question by:noahmehl
  • 6
  • 2

Expert Comment

ID: 36521500
Here's what I'd test:

Ccheck that your mail server isn't an open relay,  Google 'open relay tests'.  This type of spam may be 'Back-Scatter' I'd have a look for that too.

Check you have the latest Service Pack for Exchange 2003 (2 I think) as that comes with some Anti-Spam tools.

There'sa good tool for scanning PC's and servers from Trend, Google 'Trend online scan'.  This will scan the LOCAL PC or server for viruses and Malware.

Do you have a centrally installed AV product on your server like Sophos or Mcafee?  Is so, create a new task to scan the network, otherwise you'll have to scan each PC one at a time!

Expert Comment

ID: 36522230
Check if the server is open relay and block port 25 for the computers to only allow your mail server to send mails from your netwerk.
Check also the logs of the firewall to see which computer is trying to send mails and fix the infected computer.

Author Comment

ID: 36522866

These answers are really lame!

First of all, my server is not an open smtp relay!

Secondly, Exchange if fully updated.

Third, I have Kaspersky Enterprise Space Security Installed on every workstation and server, all reporting to a central Kaspersky Administration Console.  No workstation or Server has a virus/worm/etc that's been found so far.

Finally, even if all of this is true, I'm asking how to find in the Exchange logs, where the originating IP address is?  I've looked through the message tracking, but I can't seem to find that kind of detail anywhere.  Anyone?



Assisted Solution

noahmehl earned 0 total points
ID: 36523184
Attached is a message tracking window for one of the spam messages:  Spam Message
Also attached is a legitimate message from the same account:  Legitimate Message
The legitimate message was sent with Outlook 2003.  I've noticed that the "SMTP: Store Driver; Message Submitted from Store" is missing from the spam message.  I'm now thinking that the spam messages then didn't originate from any of the workstations.  What I want to know is all of the ways that the "Store Driver" event wouldn't happen.  I'm thinking that either this is a web based, or local to the exchange server problem.

On the other hand, manually changing the user's passwords seems to have stop the problem.  But I want to be able to tell where the messages came from in the first place.

Also, the Message History doesn't tell me anything about the message.  Like where is originated from, what the contents were, etc...
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.


Expert Comment

ID: 36523201
'Wow, these answers are really lame!' Best of luck solving this by yourself from now on Noah.

Author Comment

ID: 36523231
Well, icuadmin, I'm expecting more since I pay money for this site.  Plus your tone sucked.  It becomes insulting when you ask if the server is an open relay.  I thought this was a site for professionals...

Author Comment

ID: 36523243
Also, you didn't answer my original question: "...I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from."

Accepted Solution

noahmehl earned 0 total points
ID: 36523357
Anyways, I figured it out.  Apparently, the actual message tracking .log has client-ip information in it.  A hacker in China figured out the password for a user, and probably was using authenticated smtp relay.  Changing the user's password to something strong solved the problem.

Author Closing Comment

ID: 36553456
Apparently, Google was much more useful in this case...

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now