Spam Being Sent Through Exchange 2003 Server

christxr
christxr used Ask the Experts™
on
I am having trouble with an Exchange 2003 server's queue filling up with thousands of outgoing messages (like 200, 000 or more) and stopping all mail flow. I did a Malwarebytes scan on the server and found nothing. What is a good way to identify where these are coming from and how to stop it?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Microsoft provides a detailed guide here:

http://support.microsoft.com/kb/324958
Most probably one of your client's computers is infected, sending out spam.

Track some messages down via OUTGOING QUEUE, write down the time, then find it in SMTP logs of Exchange server to see, which local IP they are coming from.

Are they mostly originating from Administrator@yourdomain.local?
Then you are most probably infected with Netsky or Conficker virus, which is pain in the ass to remove. It spreads with USB storage devices, users carry it home, infect both computers, you clean computer in the office and after few days, user infects it back.

1.) You may try to block port 25 on your firewall in both directions, just to easily clear out the queue in Exchange.

2.) Block port 25 on firewall IN and OUT direction for all computers, except Exchange.

3.) Test your Exchange if it is not an open relay:
http://mxtoolbox.com/diagnostic.aspx

4.) Then if possible, run virus scan on all clients in SAFE MODE (some stealth viruses remain dormant in memory if you clean in normal mode).
Also, you may run Conficker scan for the whole network with my little script, which scans your network, reports infected computers, and cleans out scheduled tasks, which spread virus around. It is safe to use!
(it is in attachment, .RAR archive renamed to .JPG. Change extension before extraction, then run "rcg.bat" from command prompt)

5.) Then go thru this article to see how it happened:
http://exchange.sembee.info/2003/smtp/spam-cleanup.asp

Hope it helps.
Conficker-Removal-renamed-rar.jpg
Co-Owner
Top Expert 2011
Commented:
You are most likely an Authenticated Relay rather than the victim of an infected machine (or suffering from NDR spam).  My article discusses both issues and how to resolve them:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn't-send.html

Also - please have a read of my two blog articles:

http://alanhardisty.wordpress.com/2010/09/28/increase-in-frequency-of-security-alerts-on-servers-from-hackers-trying-brute-force-password-programs/

http://alanhardisty.wordpress.com/2010/12/01/increase-in-hacker-attempts-on-windows-exchange-servers-one-way-to-slow-them-down/

The last blog entry has a quick fix which should stop the problem dead in it's tracks.

Emptying the queues quickly can be done using aqadmcli.exe - the link is now broken, but if you want the tool, please let me know.

I have seen this more times than I have had hot dinners!!

Alan
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Looks like I'm suffering from an Authenticated Relay Attack. However in trying to enable Diagnostic Logging, each time I click on that tab it renders the server properties window unresponsive. Any idea why? Should I stop any services before doing so?
Alan HardistyCo-Owner
Top Expert 2011

Commented:
Just wait for it to complete - don't stop anything - just give it a while.

If you have waited - then something is wrong as it should be waiting for a long time.

You can always utilise my quick fix!
Despite of Alanhardisty good links, here's one another excellent post on HOW TO STOP attack and how to find out, which user account was hijacked (that's authenticated relay attack):
http://www.vamsoft.com/authattack.asp

Read last paragraph, where it is instructed to set Transport Loging to minimum, so you will get Event ID 1708 each time user authenticates for sending mail. You will quickly catch the offended account.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial