Exchange 2003 being used as spam server - sort of....

I have an Exchange 2003 server that appears to be being used as a spam host. It it not an open relay and the Default SMTP Virtual Server properties under Access/Relay have the mail server and the network scanner listed with "Only the list below" checked. The box to allowed authenticated users to relay is unchecked.

I see spam to/from the same user. So bsmith@ is sending spam to bsmith@, but it is coming from outside the network. Here are the headers:

Received: from
by MYMAILSERVER with Microsoft
 SMTPSVC(6.0.3790.4675); Wed, 19 Sep 2012 05:42:34 -0700
Message-ID: <>
Date: Wed, 19 Sep 2012 13:42:19 +0100
From: <>
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv: Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <>
Subject: =?utf-8?Q?Spam:find=20Cllalls=20free=20sites=20computer=20search?=

The to and from and the same and it's not from inside my network. I'm not sure how this is getting through or how is it happening. There is not a lot of it, but I would like to stop it.
Who is Participating?
Alan HardistyCo-OwnerCommented:
You are probably an Authenticated relay and my article will help you to identify the account:'t-send.html

Once identified, change the password for the account, restart the SMTP Service and then wait for the queues to empty.  They may still fill up for a while whilst Exchange catches up with the volume that it was sent, so don't be alarmed if the queues keep filling for a while.

You can use aqadmcli.exe to delete the mail in the queues quickly.  Shout if you would like a link to download this from to achieve this and instructions.

mvalpredaAuthor Commented:
First off....thanks for the article. I was looking through and see that it may be more of an NDR attack since i see a lot of mail in the queue to strange domains all coming from postmaster@. I have set up the filtering explained at and the tarpitting explained at I set the tarpit time to 20 seconds.

Also going to run through the authenticated user attack. Strange that it happens when the box is unchecked and only allowing relaying from a very specific set of IPs.
Alan HardistyCo-OwnerCommented:
Exchange 2003 is very open to abuse unfortunately.

Hopefully it is just an NDR attack which should subside with Recipient Filtering enabled, but if not, then you should be able to find the relevant account.

Shout if you need any more info.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

mvalpredaAuthor Commented:
I do have a slight issue now. I forgot to mention I have an outside vendor that sends emails through our server and they log in with a service account (with a strong random password) and I am now seeing this:

The SMTP client "X.X.X.X" authenticated as user "DOMAIN\account" attempted to send as "".  Access was denied because the authenticated client does not have permission to Send As this SMTP address.

Am I going to need to set up Send As permissions on each of those users who use this third party service?
Alan HardistyCo-OwnerCommented:
Yes - if they need to send as a particular user and log in as a different user, then will need Send As permissions.
mvalpredaAuthor Commented:
Thanks. All is looking well now.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.