exchange 2003 random internal e-mail addresses in outgoing queue

Posted on 2013-06-24
Medium Priority
Last Modified: 2013-06-24
Hey guys,

My client is running Exchange 2003 SBS (i just took them on). Their outgoing exchange queues are hacked with RANDOM internal e-mail addresses (xyaj38s@company.com).

I've enabled sender/recipient filtering, ensured it's not an open relay, scanned the server for viruses (did find a backdoor trojan on it, i believe it's removed). I also changed everyone's passwords... Turned off windows authentication.

The queues are still filling up. Is it possible someone's machine in the office is compromised?

Anything else I should look at?

Thanks guys.
Question by:tamaneri
LVL 74

Accepted Solution

Glen Knight earned 668 total points
ID: 39271769
Looks like you've done most of everything else.  I'd say the next place to look is definitely the client machines.

Assisted Solution

jbvernej earned 668 total points
ID: 39271825

Your messages in queues:
does they seem to be fake NDR messages (Non Delivery Report)  ?
(IE a NDR for a message that was never send ) ?
If yes, you could be under External NDR attack.

here a  procedure to cleanup:
kb886208 - Exchange queues fill with many non-delivery reports from the postmaster account in Small Business Server 2003
LVL 52

Assisted Solution

by:Manpreet SIngh Khatra
Manpreet SIngh Khatra earned 664 total points
ID: 39271841
Restart the services or the server and check.

- Rancy

Author Closing Comment

ID: 39272513
Thanks for the input guys.

Turns out it was a root-kit on the server itself. I ran the following programs to remove all of the malware/viruses/rootkit

2) TDSS Killer
3) Kaspersky Virus Removal Tool (just to ensure it was clean).

The virus/root-kit that TDSSKILLER found was a file called sbscrexe.exe in c:\windows\system32.

Thanks for your help in this matter. Queues look like they're going to remain clean.

Author Comment

ID: 39272948
Just to update you guys... It took a couple of hours, but I have some more messages in the queues. I didn't have much time to spend looking at the client machines while I was on site today. I've instructed them to turn off their computers when they leave for the day so I can determine if it's a server-related hacking issue, or a desktop virus/malware causing the problem.

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article describes Top 9 Exchange troubleshooting utilities that every Exchange Administrator should know. Most of the utilities are available free of cost. List of tools that I am going to explain in this article are:   Microsoft Remote Con…
Configure external lookups on for external mail flow on Exchange 2013 and Exchange 2016.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
To export Lotus Notes to Outlook PST or Exchange and Domino Server files to Exchange Server or PST files with ease, go for Kernel for Lotus Notes to Outlook conversion tool. Through the video, you can watch the conversion process. A common user with…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question