We are running Exchange server 2003 and this morning it appears that someone has been sending a large bulk of outgoing mail
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<mailserver.com #5.5.0 smtp;550-<mailserver IP here> is blocked due to abuse. Contact email@example.com for more
The block has now been removed but I am trying to understand more about how this has occurred and how to prevent this from re-occurring in the future.
As far as I can see a large number (about 5000) of messages were sent from our exchange server this morning.
I can see the IP address of the user who was connected to our exchange server when these messages were sent but not how they managed to get onto our exchange box in the first place.
Our ISP placed the block on us sending outgoing mail after they were informed by other ISP's that and address on their network was sending a large amount of mail. With that address being our mail servers IP.
Our ISP's response regarding this was:
This is an SMTP Authentication issue. Basically there are 1 or
more weak passwords for user accounts to access your mail server
and one or more have been compromised allowing the hacker to relay
their mail through your server.
We require you to change and secure every users password and
preferably perform a full and thorough scan to each computer on the
Please then report back to us when finished and we'll unblock the
I have since set every active directory user account to 'Must change password at next login' and our ISP has removed the block. Was this really as simple as someone somehow cracking or guessing a username and password and sending SMTP commands to use our exchange server for sending out Bulk amounts of SPAM?
Is there an easy way to spot what exactly has happened and what steps should we take to try and prevent this happening again in the future?