Solved

Exchange 2003 SBS - Compromised???

Posted on 2012-03-22
7
341 Views
Last Modified: 2012-03-23
DETAILS
Exchange 2003 SBS

ISSUE
Client sent me a screen shot this morning of the Queues and it looks like there is either a bug or the system has been compromised.  I see lots of outbound messages in the Queue that are definitely spam (As in they are using this server to relay spam).

REQUEST
Could someone remind me how to properly turn on the correct logging so I can see what account is being used to send  the messages.

Also any steps that I should make sure I take after I figure it out (other than change the password) would be helpful.

Regards,
0
Comment
Question by:tech911
  • 4
  • 3
7 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37752177
My article should help you here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also, please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

My EE article discusses how to identify the abused account but my 2nd blog discusses a way to stop it happening dead without knowing the account.  Your call as to the way you choose to stop this.

You can also use aqadmcli.exe to quickly empty your queues:

http://community.spiceworks.com/how_to/show/267

Alan
0
 
LVL 3

Author Comment

by:tech911
ID: 37752780
On site at client.

Just looked at Queue.

Pulled up Queued Items, had two messages in it.

One was random name, One was postmaster.

Also ran diagnostics log as per your article, no event ID's of 1708

Where should I look?  What are my next steps...

BELOW IS JUST SOME RANDOM OBSERVATIONS...
1.) Relaying was enabled by the previous tech.
2.) Circular logging is enabled (I hope it doesn't crash)
3.) I may have to go through the entire exchange config to make sure this machine is correctly configured.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37752792
Are you blacklisted?

www.mxtoolbox.com/blacklists.aspx

www.blacklistalert.org

If you are - which blacklists and what reasons are given (if any)?
0
Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

 
LVL 3

Author Comment

by:tech911
ID: 37752929
Not yet.

I turned off the smtp service until we can get a handle on what is happening.  As soon as turn it on, the Queues fill up and you can here the hard drives chugging...

My guess is that the chugging is the mail being sent out.

I also turned on recipient filtering per your article, but the queues are either still filling up or trying to fulfill messages that are already in there.  I am going to try to clean up the queue per your link.

Will advise shortly
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37752953
Understood - but the important thing to know is who the senders of the messages are.  Once I know that - it will determine the action to take (postmaster / random senders not on your domain).
0
 
LVL 3

Author Comment

by:tech911
ID: 37757357
Great support on this issue.

Thanks.

It was an NDR attack, I followed your instructions and they worked as advertised.  The biggest issue was the cleanup.  There were 94,000 emails in the Queue trying to get out, it took all day to clean them out.

Thank you again, mass appreciation!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757363
Do you have any Anti-Spam software installed?  It doesn't sound like it.

I would recommend you trial www.vamsoft.com as it is brilliant and very nicely priced at $239 per server.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now