Exchange 2003 being used as spam server - sort of....

Posted on 2012-09-19
Last Modified: 2012-10-03
I have an Exchange 2003 server that appears to be being used as a spam host. It it not an open relay and the Default SMTP Virtual Server properties under Access/Relay have the mail server and the network scanner listed with "Only the list below" checked. The box to allowed authenticated users to relay is unchecked.

I see spam to/from the same user. So bsmith@ is sending spam to bsmith@, but it is coming from outside the network. Here are the headers:

Received: from
by MYMAILSERVER with Microsoft
 SMTPSVC(6.0.3790.4675); Wed, 19 Sep 2012 05:42:34 -0700
Message-ID: <>
Date: Wed, 19 Sep 2012 13:42:19 +0100
From: <>
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv: Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: <>
Subject: =?utf-8?Q?Spam:find=20Cllalls=20free=20sites=20computer=20search?=

The to and from and the same and it's not from inside my network. I'm not sure how this is getting through or how is it happening. There is not a lot of it, but I would like to stop it.
Question by:mvalpreda
    LVL 76

    Accepted Solution

    You are probably an Authenticated relay and my article will help you to identify the account:'t-send.html

    Once identified, change the password for the account, restart the SMTP Service and then wait for the queues to empty.  They may still fill up for a while whilst Exchange catches up with the volume that it was sent, so don't be alarmed if the queues keep filling for a while.

    You can use aqadmcli.exe to delete the mail in the queues quickly.  Shout if you would like a link to download this from to achieve this and instructions.

    LVL 2

    Author Comment

    First off....thanks for the article. I was looking through and see that it may be more of an NDR attack since i see a lot of mail in the queue to strange domains all coming from postmaster@. I have set up the filtering explained at and the tarpitting explained at I set the tarpit time to 20 seconds.

    Also going to run through the authenticated user attack. Strange that it happens when the box is unchecked and only allowing relaying from a very specific set of IPs.
    LVL 76

    Expert Comment

    by:Alan Hardisty
    Exchange 2003 is very open to abuse unfortunately.

    Hopefully it is just an NDR attack which should subside with Recipient Filtering enabled, but if not, then you should be able to find the relevant account.

    Shout if you need any more info.
    LVL 2

    Author Comment

    I do have a slight issue now. I forgot to mention I have an outside vendor that sends emails through our server and they log in with a service account (with a strong random password) and I am now seeing this:

    The SMTP client "X.X.X.X" authenticated as user "DOMAIN\account" attempted to send as "".  Access was denied because the authenticated client does not have permission to Send As this SMTP address.

    Am I going to need to set up Send As permissions on each of those users who use this third party service?
    LVL 76

    Expert Comment

    by:Alan Hardisty
    Yes - if they need to send as a particular user and log in as a different user, then will need Send As permissions.
    LVL 2

    Author Closing Comment

    Thanks. All is looking well now.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    This video discusses moving either the default database or any database to a new volume.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now