Avatar of tgreendyk
 asked on

Will restricting email to Outlook Web Access reduce threat of compromised account

Hi all,

I have a situation where an internal Exchange 2003 server keeps getting compromised. I'm pretty sure that someone's account is getting compromised because I went through an excercise where I changed everyone's password and the issue disappeared for about 2 months.

It's now back, but the large quantities of spam that end up in the outbound queue only appear about once a week. If I remove them all, everything's fine for another week or so.

There are a number of remote non-employees who connect using VPN, some of them on an occasional basis. I suspect that one of them may have a virus that's captured their credentials and spits out the spam whenever they connect to the server.

If I restrict all outside users to Outlook Web Access only, will this in effect remove that threat possibility since there's no direct network connection?

Even better, if there's a better way to figure out the source of this stuff, I'd appreciate knowing that too. I remember one time turning on SMTP logging in some way that made it very clear who the culprit was, but I can't seem to figure that out again.

Any help would be appreciated.

Windows Server 2003Exchange

Avatar of undefined
Last Comment

8/22/2022 - Mon

Quick follow up: Forgot to mention that I'm fairly certain that an internal LAN user does NOT have any virus. There are only 6 PCs and I've run scanns from bootable recovery disks and nothing's been found.

I also took the opportunity to uninstall and replace the current AV software with a different vendor's and their initial scans turned up nothing as well.

I'm fairly certain it's coming from an outside source that's not in my immediate control.


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

This is a good idea, but the reason it may work is because you're changing the client, not due to the change in the method of connection.  OWA may do both, but it's not resolving the core issue.

Check your outgoing logs for your mail server.  Check the headers in the emails that got sent out.  This is invaluable information with an issue like this-- you should be able to see which connection is sending the emails, and depending on the number of users and load you have, you may be able to match up timestamps, IP addresses, and even Mac Addresses depending on your level of logging.  

If there's only a handful of common active connections between the first instance and the other 2 instances, then that will really narrow it down.

Don't restrict to just OWA.  The solution here is in your logs, not in your setup.

Thanks for the responses!

ddawson100, I think I'm missing something on the logging. Using the link you provided, I confirmed that the logging functions as described are actually on and have always been on. The log data shows what seems to be the recipient's IP address and various other pieces of information, but it's not helping me determine what computer on my network (or user account used) it came from.

I seem to recall another time a number of years ago where someone showed me how to use Diagnostic Logging and selecting certain functions of MSTransport logging. At that time I remember it clearly showed me what system user account was being used to send out the spam. I've been playing around with this but can't seem to get the right combination of things to monitor that helps.

Any ideas on this?

Thanks again,

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Ah, yes, you were probably using Message Tracking. Check this page out:


Other thoughts about spam:

1. Source could be from outside after all. Sometimes the queue fills up with automatic responses to spam. Someone bombs your org from fake addresses and Exchange tries to send a non-delivery report to all. Check this on ways to deal with that problem. Be sure to look in the outbound queue.

2. Source could be hijacking through Outlook. Someone at home has a virus which is sending out via Outlook. Message Tracking will let you find that. Any AV is better than none. I often recommend AVG Free. Microsoft's Security Essentials is good, too.

If you don't have a decent AV filtering solution I recommend something like McAfee's MXLogic solution. They scan in-bound and do a pretty good job and may also outbound scanning which could prevent the org accidentally sending spam. If your company is ever ready to move to a new mail server (not that Exch2003 is bad at all) you might migrate to a hosted solution (Office 365 or Google Apps are easy places to start). Those services have integrated spam scanning.

Next step up after as far as security is to get a centralized desktop AV solution. Client machines will check in with a central server for reporting and AV definition updates.

No, they're not NDRs -- checked a few of the outbounds and they're watches for sale, business opportunities, etc.

I'm fairly certain it's #2 on your list. We do have a centralized AV solution (F-Secure as of a week ago, GFI Vipre before that) and, as I said, I'm reasonably sure there are no viruses on in-house computers.

The problem is that user accounts have been created for multiple people who aren't employees, but outside firms that handle marketing and such. These people work from home and only use their system credentials to establish a VPN connection, then open Outlook and handle certain email functions. I have no idea who they are and have no control over their desktops, thus my desire to use the Diagnostic Logging to see what user account is causing the problem!

I'll take a look at the article on MSExchange. I'm pretty sure I've been there, though. Was hoping someone could tell me exactly what functions to log.


Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Yes, lock down SMTP but also add RPC/HTTP and get rid of VPN. You might also approach this with a policy. Have the vendor agree in writing that they agree to access your network from a machine with an up to date AV, for only the times that they need to accomplish the work, notify you when they suspect any problems, etc.

I can't think of anything else to enable to track this. I've only used diagnostics for core Exchange features which were failing. But why don't you just look through the features yourself? There aren't that many to review. See logging options for Exchange and SMTP.

From what I'm hearing from you, you only need the default tools and logs to track this down. If someone (something) is sending via SMTP you'll see that in SMTP logs. If this is what's happening you can frustrate them with the Tarpit feature. And if someone is using Outlook to send anything, spam or otherwise, you'll see that in Queue Viewer and Message Tracking.

What I'd do (besides getting rid of VPN for them) if I suspected these vendors is to use Message Tracking to view everything they've sent recently. Or open the SMTP logs folder. Start by seeing if there are any that stand out for being larger than others. That might be something to analyze for spam relay. This isn't a quick answer though but go to this fantastic site for examples and instructions for parsing SMTP logs.

I'm glad you have good AV. Any mail filtering in place?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

I decided to split the points because gsmartin correctly identified that the problem was, in fact, an authenticated relay from the outside.

I found the offending user account by turning on SMTP authentication logging in Diagnostic Logging. The results end up in the Event Viewer, Application tab.

The compromised account was the generic one set up for the scanner to be able to drop scanned files into a shared folder on the server. I'd sure like to know how that account gets hacked!

Thanks for the help.