Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

exchange 2003, user spoof, sending spam using one of our users

Posted on 2013-06-11
10
Medium Priority
?
399 Views
Last Modified: 2013-06-16
I have a mail server, in Queue, there's multiple outgoing mails are stuck on sending from a specific user. But the user's outlook doesn't show she sent mails out. The outgoing emails are also seem to be spam going to external random addresses. I think changing/correcting settings at SMTP virtual server of the mail server can resolve this problem. Can you advise?

Relay under SMTP virtual server/properties/Access/Relay is restricted to our LAN IPs of a few servers.

Under SMTP virtual server/properties/Access/Authentication, both Anonymous access and Integrated Windows Authentication are checked.

Unser SMTP virtual server/properties/Delivery/Outbound Security, Anonymous access is checked.

Windows 2003 SP2
Exhcnage 2003 SP2
0
Comment
Question by:crcsupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 52

Assisted Solution

by:Manpreet SIngh Khatra
Manpreet SIngh Khatra earned 1000 total points
ID: 39238465
If you say your domain\connector isnt set to Open relay then yes it could be user so use Exmon and try to find the user and then clean his machine and disconnect his mailbox if you find it causing some issues as well

http://www.microsoft.com/en-us/download/details.aspx?id=11461

- Rancy
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39238534
I was looking at SMTP virtual server.
Yes, I have a connector set up at Routing groups/First Routing Group/Connectors/Connector. It shows, Connector/properties/Delivery Restriction shows 'By default, messages from everyone are Accepted'.

Is there a way to restrict to accept messages only from LAN IPs? We have a dummy email (no mailbox) addresss 'do-not-reply@mydomain.com' to send out some emails to clients. If I restrict by user account, I think the email won't work.

Also, is it possible any outside pc can telnet to the server and send out email using our mail server with 'from' as one of our user's email address even though relay is off?

I scanned the trouble user's pc, didn't find any problem.
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39238542
I will test using exmon
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1000 total points
ID: 39238559
If anyone knows a useraccount and password, they will always be able to relay via your server if you have relaying enabled.

Hackers always enjoy cracking an Exchange 2003 server account and then abuse the hell out of it until you realise, stop the problem and prevent it from happening again.

Can you see the subject of the emails that are not going anywhere?  Are they spam-like?

Alan
0
 
LVL 52

Assisted Solution

by:Manpreet SIngh Khatra
Manpreet SIngh Khatra earned 1000 total points
ID: 39238566
Also, is it possible any outside pc can telnet to the server and send out email using our mail server with 'from' as one of our user's email address even though relay is off? - If your server is allowed for Open relay compared to restricted IP's to be allowed for relay

Why dont you stop the SMTP service if possible and let emails pile and check their content or source and work with Sender\Recipient filtering options in Exchange

- Rancy
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39238681
Yes, it's spam, subject shows all medicine stuffs... I changed the password of her and see what happens.

I have relay setting as shown in the attached image on my SMTP virtual server.
Basically it has 5 LAN IPs are allowed to relay, there's websites in dev and production to do relay to the mail server to send. But the 5 computers are all clean with virus. But I noticed that in the users tab, the Domain Users are allowed to relay. I can restrict this to certain users only, correct?
So in my case, relay is on...

Besides relay, what else can make possible for outside email client can send emails using our mail server pretending the troubled user account without knowing password?
relay.jpg
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39238712
I changed her password, but it keeps sending mails out from her  account. So I think someone outside connecting to my mail server and send out emails without logging in with her account
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 1000 total points
ID: 39238726
0
 
LVL 1

Author Comment

by:crcsupport
ID: 39238971
It looks like the account was hacked. I just checked again the queue, I don't see emails going out with her account.
Alanharddisty, thanks for the article. I need to set account lockout policy so that hacker can't run brute-force against our exchange server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39239002
Yes - always a good plan, plus setting strong passwords and forcing regular changes is also a good way to minimise hacked accounts.

Alan
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question