Somehow, an intruder, or a malware for that matter, managed to send loads of emails from my Exchange server. Fortunately, no one got harmed; unfortunately, except us!
Our email security host stopped our account because all of those emails were sent to them first, before being declined delivery as the emails' addresses were bogus. Below is the header of one of those emails, which I hope would tell part, if not all, of the story:
Received: from User ([18.104.22.168]) by ExchangeSrv.alfouadmkma.com with Microsoft SMTPSVC(6.0.3790.1830);
Mon, 21 May 2012 15:55:19 +0300
From: "Mrs. Faith Williams"<email@example.com>
Subject: CAN I TRUST YOU?tst
Date: Mon, 21 May 2012 09:59:32 -0300
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-OriginalArrivalTime: 21 May 2012 12:55:20.0097 (UTC) FILETIME=[FA5DB910:01CD3750]
I have a number of questions here:
1 – Does the header above tell anything as to how the attack was first launched?
2 – Can it be told whether the attack has originated from an infected client in the network or from Exchange server itself.
3 – Is there any technique in Exchange to stop such emails from being sent in the first place?
Kindly do not answer if you are not an expert and have sufficient knowledge in the matter.