Hacked Exchange 2003 server

Posted on 2011-09-12
Medium Priority
Last Modified: 2012-05-12
I have a SBS 2003 server and I've got a bunch of messages being sent from a user (which are spam, in chinese...), but I know the user is NOT sending the messages.  I'm assuming it's a virus on a workstation or something, but I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from.

The really weird part, is that I change the user's password.  Also, the emails are originating from the smtp address on their account that ISN'T the primary smtp address.
Question by:noahmehl
  • 6
  • 2

Expert Comment

ID: 36521500
Here's what I'd test:

Ccheck that your mail server isn't an open relay,  Google 'open relay tests'.  This type of spam may be 'Back-Scatter' I'd have a look for that too.

Check you have the latest Service Pack for Exchange 2003 (2 I think) as that comes with some Anti-Spam tools.

There'sa good tool for scanning PC's and servers from Trend, Google 'Trend online scan'.  This will scan the LOCAL PC or server for viruses and Malware.

Do you have a centrally installed AV product on your server like Sophos or Mcafee?  Is so, create a new task to scan the network, otherwise you'll have to scan each PC one at a time!

Expert Comment

ID: 36522230
Check if the server is open relay and block port 25 for the computers to only allow your mail server to send mails from your netwerk.
Check also the logs of the firewall to see which computer is trying to send mails and fix the infected computer.

Author Comment

ID: 36522866

These answers are really lame!

First of all, my server is not an open smtp relay!

Secondly, Exchange if fully updated.

Third, I have Kaspersky Enterprise Space Security Installed on every workstation and server, all reporting to a central Kaspersky Administration Console.  No workstation or Server has a virus/worm/etc that's been found so far.

Finally, even if all of this is true, I'm asking how to find in the Exchange logs, where the originating IP address is?  I've looked through the message tracking, but I can't seem to find that kind of detail anywhere.  Anyone?


Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

noahmehl earned 0 total points
ID: 36523184
Attached is a message tracking window for one of the spam messages:  Spam Message
Also attached is a legitimate message from the same account:  Legitimate Message
The legitimate message was sent with Outlook 2003.  I've noticed that the "SMTP: Store Driver; Message Submitted from Store" is missing from the spam message.  I'm now thinking that the spam messages then didn't originate from any of the workstations.  What I want to know is all of the ways that the "Store Driver" event wouldn't happen.  I'm thinking that either this is a web based, or local to the exchange server problem.

On the other hand, manually changing the user's passwords seems to have stop the problem.  But I want to be able to tell where the messages came from in the first place.

Also, the Message History doesn't tell me anything about the message.  Like where is originated from, what the contents were, etc...

Expert Comment

ID: 36523201
'Wow, these answers are really lame!' Best of luck solving this by yourself from now on Noah.

Author Comment

ID: 36523231
Well, icuadmin, I'm expecting more since I pay money for this site.  Plus your tone sucked.  It becomes insulting when you ask if the server is an open relay.  I thought this was a site for professionals...

Author Comment

ID: 36523243
Also, you didn't answer my original question: "...I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from."

Accepted Solution

noahmehl earned 0 total points
ID: 36523357
Anyways, I figured it out.  Apparently, the actual message tracking .log has client-ip information in it.  A hacker in China figured out the password for a user, and probably was using authenticated smtp relay.  Changing the user's password to something strong solved the problem.

Author Closing Comment

ID: 36553456
Apparently, Google was much more useful in this case...

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question