Exchange Server 2003 - ISP Blocked Outgoing SMTP 550
We are running Exchange server 2003 and this morning it appears that someone has been sending a large bulk of outgoing mail
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<mailserver.com #5.5.0 smtp;550-<mailserver IP here> is blocked due to abuse. Contact abuse@demon.net for more
The block has now been removed but I am trying to understand more about how this has occurred and how to prevent this from re-occurring in the future.
As far as I can see a large number (about 5000) of messages were sent from our exchange server this morning.
I can see the IP address of the user who was connected to our exchange server when these messages were sent but not how they managed to get onto our exchange box in the first place.
Our ISP placed the block on us sending outgoing mail after they were informed by other ISP's that and address on their network was sending a large amount of mail. With that address being our mail servers IP.
Our ISP's response regarding this was:
I have since set every active directory user account to 'Must change password at next login' and our ISP has removed the block. Was this really as simple as someone somehow cracking or guessing a username and password and sending SMTP commands to use our exchange server for sending out Bulk amounts of SPAM?
Is there an easy way to spot what exactly has happened and what steps should we take to try and prevent this happening again in the future?
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<mailserver.com #5.5.0 smtp;550-<mailserver IP here> is blocked due to abuse. Contact abuse@demon.net for more
The block has now been removed but I am trying to understand more about how this has occurred and how to prevent this from re-occurring in the future.
As far as I can see a large number (about 5000) of messages were sent from our exchange server this morning.
I can see the IP address of the user who was connected to our exchange server when these messages were sent but not how they managed to get onto our exchange box in the first place.
Our ISP placed the block on us sending outgoing mail after they were informed by other ISP's that and address on their network was sending a large amount of mail. With that address being our mail servers IP.
Our ISP's response regarding this was:
This is an SMTP Authentication issue. Basically there are 1 or
more weak passwords for user accounts to access your mail server
and one or more have been compromised allowing the hacker to relay
their mail through your server.
We require you to change and secure every users password and
preferably perform a full and thorough scan to each computer on the
network.
Please then report back to us when finished and we'll unblock the
service.
I have since set every active directory user account to 'Must change password at next login' and our ISP has removed the block. Was this really as simple as someone somehow cracking or guessing a username and password and sending SMTP commands to use our exchange server for sending out Bulk amounts of SPAM?
Is there an easy way to spot what exactly has happened and what steps should we take to try and prevent this happening again in the future?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the links to your blog articles. Really useful info there.
I will follow some of your advice and tighten things up a bit.