Avatar of christxr
christxr
 asked on

Spam Being Sent Through Exchange 2003 Server

I am having trouble with an Exchange 2003 server's queue filling up with thousands of outgoing messages (like 200, 000 or more) and stopping all mail flow. I did a Malwarebytes scan on the server and found nothing. What is a good way to identify where these are coming from and how to stop it?
ExchangeWindows Server 2003

Avatar of undefined
Last Comment
Andrej Pirman

8/22/2022 - Mon
Perarduaadastra

Microsoft provides a detailed guide here:

http://support.microsoft.com/kb/324958
Andrej Pirman

Most probably one of your client's computers is infected, sending out spam.

Track some messages down via OUTGOING QUEUE, write down the time, then find it in SMTP logs of Exchange server to see, which local IP they are coming from.

Are they mostly originating from Administrator@yourdomain.local?
Then you are most probably infected with Netsky or Conficker virus, which is pain in the ass to remove. It spreads with USB storage devices, users carry it home, infect both computers, you clean computer in the office and after few days, user infects it back.

1.) You may try to block port 25 on your firewall in both directions, just to easily clear out the queue in Exchange.

2.) Block port 25 on firewall IN and OUT direction for all computers, except Exchange.

3.) Test your Exchange if it is not an open relay:
http://mxtoolbox.com/diagnostic.aspx

4.) Then if possible, run virus scan on all clients in SAFE MODE (some stealth viruses remain dormant in memory if you clean in normal mode).
Also, you may run Conficker scan for the whole network with my little script, which scans your network, reports infected computers, and cleans out scheduled tasks, which spread virus around. It is safe to use!
(it is in attachment, .RAR archive renamed to .JPG. Change extension before extraction, then run "rcg.bat" from command prompt)

5.) Then go thru this article to see how it happened:
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

Hope it helps.
Conficker-Removal-renamed-rar.jpg
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
christxr

ASKER
Looks like I'm suffering from an Authenticated Relay Attack. However in trying to enable Diagnostic Logging, each time I click on that tab it renders the server properties window unresponsive. Any idea why? Should I stop any services before doing so?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Alan Hardisty

Just wait for it to complete - don't stop anything - just give it a while.

If you have waited - then something is wrong as it should be waiting for a long time.

You can always utilise my quick fix!
Andrej Pirman

Despite of Alanhardisty good links, here's one another excellent post on HOW TO STOP attack and how to find out, which user account was hijacked (that's authenticated relay attack):
http://www.vamsoft.com/authattack.asp

Read last paragraph, where it is instructed to set Transport Loging to minimum, so you will get Event ID 1708 each time user authenticates for sending mail. You will quickly catch the offended account.