crcsupport
asked on
exchange 2003, user spoof, sending spam using one of our users
I have a mail server, in Queue, there's multiple outgoing mails are stuck on sending from a specific user. But the user's outlook doesn't show she sent mails out. The outgoing emails are also seem to be spam going to external random addresses. I think changing/correcting settings at SMTP virtual server of the mail server can resolve this problem. Can you advise?
Relay under SMTP virtual server/properties/Access/R elay is restricted to our LAN IPs of a few servers.
Under SMTP virtual server/properties/Access/A uthenticat ion, both Anonymous access and Integrated Windows Authentication are checked.
Unser SMTP virtual server/properties/Delivery /Outbound Security, Anonymous access is checked.
Windows 2003 SP2
Exhcnage 2003 SP2
Relay under SMTP virtual server/properties/Access/R
Under SMTP virtual server/properties/Access/A
Unser SMTP virtual server/properties/Delivery
Windows 2003 SP2
Exhcnage 2003 SP2
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I will test using exmon
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes, it's spam, subject shows all medicine stuffs... I changed the password of her and see what happens.
I have relay setting as shown in the attached image on my SMTP virtual server.
Basically it has 5 LAN IPs are allowed to relay, there's websites in dev and production to do relay to the mail server to send. But the 5 computers are all clean with virus. But I noticed that in the users tab, the Domain Users are allowed to relay. I can restrict this to certain users only, correct?
So in my case, relay is on...
Besides relay, what else can make possible for outside email client can send emails using our mail server pretending the troubled user account without knowing password?
relay.jpg
I have relay setting as shown in the attached image on my SMTP virtual server.
Basically it has 5 LAN IPs are allowed to relay, there's websites in dev and production to do relay to the mail server to send. But the 5 computers are all clean with virus. But I noticed that in the users tab, the Domain Users are allowed to relay. I can restrict this to certain users only, correct?
So in my case, relay is on...
Besides relay, what else can make possible for outside email client can send emails using our mail server pretending the troubled user account without knowing password?
relay.jpg
ASKER
I changed her password, but it keeps sending mails out from her account. So I think someone outside connecting to my mail server and send out emails without logging in with her account
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It looks like the account was hacked. I just checked again the queue, I don't see emails going out with her account.
Alanharddisty, thanks for the article. I need to set account lockout policy so that hacker can't run brute-force against our exchange server.
Alanharddisty, thanks for the article. I need to set account lockout policy so that hacker can't run brute-force against our exchange server.
Yes - always a good plan, plus setting strong passwords and forcing regular changes is also a good way to minimise hacked accounts.
Alan
Alan
ASKER
Yes, I have a connector set up at Routing groups/First Routing Group/Connectors/Connector
Is there a way to restrict to accept messages only from LAN IPs? We have a dummy email (no mailbox) addresss 'do-not-reply@mydomain.com
Also, is it possible any outside pc can telnet to the server and send out email using our mail server with 'from' as one of our user's email address even though relay is off?
I scanned the trouble user's pc, didn't find any problem.