Hacked Exchange 2003 server

Posted on 2011-09-12
Last Modified: 2012-05-12
I have a SBS 2003 server and I've got a bunch of messages being sent from a user (which are spam, in chinese...), but I know the user is NOT sending the messages.  I'm assuming it's a virus on a workstation or something, but I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from.

The really weird part, is that I change the user's password.  Also, the emails are originating from the smtp address on their account that ISN'T the primary smtp address.
Question by:noahmehl
  • 6
  • 2

Expert Comment

ID: 36521500
Here's what I'd test:

Ccheck that your mail server isn't an open relay,  Google 'open relay tests'.  This type of spam may be 'Back-Scatter' I'd have a look for that too.

Check you have the latest Service Pack for Exchange 2003 (2 I think) as that comes with some Anti-Spam tools.

There'sa good tool for scanning PC's and servers from Trend, Google 'Trend online scan'.  This will scan the LOCAL PC or server for viruses and Malware.

Do you have a centrally installed AV product on your server like Sophos or Mcafee?  Is so, create a new task to scan the network, otherwise you'll have to scan each PC one at a time!

Expert Comment

ID: 36522230
Check if the server is open relay and block port 25 for the computers to only allow your mail server to send mails from your netwerk.
Check also the logs of the firewall to see which computer is trying to send mails and fix the infected computer.

Author Comment

ID: 36522866

These answers are really lame!

First of all, my server is not an open smtp relay!

Secondly, Exchange if fully updated.

Third, I have Kaspersky Enterprise Space Security Installed on every workstation and server, all reporting to a central Kaspersky Administration Console.  No workstation or Server has a virus/worm/etc that's been found so far.

Finally, even if all of this is true, I'm asking how to find in the Exchange logs, where the originating IP address is?  I've looked through the message tracking, but I can't seem to find that kind of detail anywhere.  Anyone?



Assisted Solution

noahmehl earned 0 total points
ID: 36523184
Attached is a message tracking window for one of the spam messages:  Spam Message
Also attached is a legitimate message from the same account:  Legitimate Message
The legitimate message was sent with Outlook 2003.  I've noticed that the "SMTP: Store Driver; Message Submitted from Store" is missing from the spam message.  I'm now thinking that the spam messages then didn't originate from any of the workstations.  What I want to know is all of the ways that the "Store Driver" event wouldn't happen.  I'm thinking that either this is a web based, or local to the exchange server problem.

On the other hand, manually changing the user's passwords seems to have stop the problem.  But I want to be able to tell where the messages came from in the first place.

Also, the Message History doesn't tell me anything about the message.  Like where is originated from, what the contents were, etc...
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.


Expert Comment

ID: 36523201
'Wow, these answers are really lame!' Best of luck solving this by yourself from now on Noah.

Author Comment

ID: 36523231
Well, icuadmin, I'm expecting more since I pay money for this site.  Plus your tone sucked.  It becomes insulting when you ask if the server is an open relay.  I thought this was a site for professionals...

Author Comment

ID: 36523243
Also, you didn't answer my original question: "...I can't figure out where the original messages are coming from.  Message tracking is on for exchange 2003, but I need help figuring out where the messages are originating from."

Accepted Solution

noahmehl earned 0 total points
ID: 36523357
Anyways, I figured it out.  Apparently, the actual message tracking .log has client-ip information in it.  A hacker in China figured out the password for a user, and probably was using authenticated smtp relay.  Changing the user's password to something strong solved the problem.

Author Closing Comment

ID: 36553456
Apparently, Google was much more useful in this case...

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now