tech911
asked on
Exchange 2003 SBS - Compromised???
DETAILS
Exchange 2003 SBS
ISSUE
Client sent me a screen shot this morning of the Queues and it looks like there is either a bug or the system has been compromised. I see lots of outbound messages in the Queue that are definitely spam (As in they are using this server to relay spam).
REQUEST
Could someone remind me how to properly turn on the correct logging so I can see what account is being used to send the messages.
Also any steps that I should make sure I take after I figure it out (other than change the password) would be helpful.
Regards,
Exchange 2003 SBS
ISSUE
Client sent me a screen shot this morning of the Queues and it looks like there is either a bug or the system has been compromised. I see lots of outbound messages in the Queue that are definitely spam (As in they are using this server to relay spam).
REQUEST
Could someone remind me how to properly turn on the correct logging so I can see what account is being used to send the messages.
Also any steps that I should make sure I take after I figure it out (other than change the password) would be helpful.
Regards,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you blacklisted?
www.mxtoolbox.com/blacklists.aspx
www.blacklistalert.org
If you are - which blacklists and what reasons are given (if any)?
www.mxtoolbox.com/blacklists.aspx
www.blacklistalert.org
If you are - which blacklists and what reasons are given (if any)?
ASKER
Not yet.
I turned off the smtp service until we can get a handle on what is happening. As soon as turn it on, the Queues fill up and you can here the hard drives chugging...
My guess is that the chugging is the mail being sent out.
I also turned on recipient filtering per your article, but the queues are either still filling up or trying to fulfill messages that are already in there. I am going to try to clean up the queue per your link.
Will advise shortly
I turned off the smtp service until we can get a handle on what is happening. As soon as turn it on, the Queues fill up and you can here the hard drives chugging...
My guess is that the chugging is the mail being sent out.
I also turned on recipient filtering per your article, but the queues are either still filling up or trying to fulfill messages that are already in there. I am going to try to clean up the queue per your link.
Will advise shortly
Understood - but the important thing to know is who the senders of the messages are. Once I know that - it will determine the action to take (postmaster / random senders not on your domain).
ASKER
Great support on this issue.
Thanks.
It was an NDR attack, I followed your instructions and they worked as advertised. The biggest issue was the cleanup. There were 94,000 emails in the Queue trying to get out, it took all day to clean them out.
Thank you again, mass appreciation!
Thanks.
It was an NDR attack, I followed your instructions and they worked as advertised. The biggest issue was the cleanup. There were 94,000 emails in the Queue trying to get out, it took all day to clean them out.
Thank you again, mass appreciation!
Do you have any Anti-Spam software installed? It doesn't sound like it.
I would recommend you trial www.vamsoft.com as it is brilliant and very nicely priced at $239 per server.
I would recommend you trial www.vamsoft.com as it is brilliant and very nicely priced at $239 per server.
ASKER
Just looked at Queue.
Pulled up Queued Items, had two messages in it.
One was random name, One was postmaster.
Also ran diagnostics log as per your article, no event ID's of 1708
Where should I look? What are my next steps...
BELOW IS JUST SOME RANDOM OBSERVATIONS...
1.) Relaying was enabled by the previous tech.
2.) Circular logging is enabled (I hope it doesn't crash)
3.) I may have to go through the entire exchange config to make sure this machine is correctly configured.