Link to home
Start Free TrialLog in
Avatar of christxr
christxr

asked on

Spam Being Sent Through Exchange 2003 Server

I am having trouble with an Exchange 2003 server's queue filling up with thousands of outgoing messages (like 200, 000 or more) and stopping all mail flow. I did a Malwarebytes scan on the server and found nothing. What is a good way to identify where these are coming from and how to stop it?
Avatar of Perarduaadastra
Perarduaadastra
Flag of United Kingdom of Great Britain and Northern Ireland image

Microsoft provides a detailed guide here:

http://support.microsoft.com/kb/324958
Most probably one of your client's computers is infected, sending out spam.

Track some messages down via OUTGOING QUEUE, write down the time, then find it in SMTP logs of Exchange server to see, which local IP they are coming from.

Are they mostly originating from Administrator@yourdomain.local?
Then you are most probably infected with Netsky or Conficker virus, which is pain in the ass to remove. It spreads with USB storage devices, users carry it home, infect both computers, you clean computer in the office and after few days, user infects it back.

1.) You may try to block port 25 on your firewall in both directions, just to easily clear out the queue in Exchange.

2.) Block port 25 on firewall IN and OUT direction for all computers, except Exchange.

3.) Test your Exchange if it is not an open relay:
http://mxtoolbox.com/diagnostic.aspx

4.) Then if possible, run virus scan on all clients in SAFE MODE (some stealth viruses remain dormant in memory if you clean in normal mode).
Also, you may run Conficker scan for the whole network with my little script, which scans your network, reports infected computers, and cleans out scheduled tasks, which spread virus around. It is safe to use!
(it is in attachment, .RAR archive renamed to .JPG. Change extension before extraction, then run "rcg.bat" from command prompt)

5.) Then go thru this article to see how it happened:
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

Hope it helps.
Conficker-Removal-renamed-rar.jpg
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of christxr
christxr

ASKER

Looks like I'm suffering from an Authenticated Relay Attack. However in trying to enable Diagnostic Logging, each time I click on that tab it renders the server properties window unresponsive. Any idea why? Should I stop any services before doing so?
Just wait for it to complete - don't stop anything - just give it a while.

If you have waited - then something is wrong as it should be waiting for a long time.

You can always utilise my quick fix!
Despite of Alanhardisty good links, here's one another excellent post on HOW TO STOP attack and how to find out, which user account was hijacked (that's authenticated relay attack):
http://www.vamsoft.com/authattack.asp

Read last paragraph, where it is instructed to set Transport Loging to minimum, so you will get Event ID 1708 each time user authenticates for sending mail. You will quickly catch the offended account.