Exchange Server 2003 being used by spammers

My exchange server ran out of space today. The log files in 'exchsrvr\myexchangeserver.log' folder have gone from being a few MB to 5 or 6 GB each. After finding a text editor that could open these log files, I have found loads of entries for a gmail account with an ip address in there. I think this person is somehow relaying from our exchange server.

What should my next steps be to stop these these requests? The log file is currently growing at a rate of about 5MB per minute which still seems way too fast.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Peter HutchisonSenior Network Systems SpecialistCommented:
Does your server have any Anti-spam software installed?
If so, you can then add the gmail address to a its blacklist to prevent it being accepted by Exchange.
If not, you can block incoming mail and backup the server to clear the log files.
Moreno JackCommented:
I would like to confirm if the issue has been resolved as per Peter suggestion ?
If not yet, Please have a look on below given links might it helps you.

Stop Spam From the Inside by Locking Down SMTP:

How to block open SMTP relaying and clean up Exchange Server :

Hope it helps you!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sajid Shaik MSystem AdminCommented:
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

It seems that you server is open relay. Check an Admin Console and change the settings that only messages originated from you local network to be relayed. Also you can limit relayed messages to authenticated users

Best regards!
Simon Butler (Sembee)ConsultantCommented:
If the server was an open relay, then the machine would be heavily abused. This looks like an authenticated relay attack. You need to go through the event viewer to find which account has been compromised.

The log file you are referring to is Message Tracking. That can be deleted or moved if required. Do not delete any other logs.

Have you looked at your queues to see if there are messages stuck there? If you are routing out through a smart host then you will not see any though.

jamiegfAuthor Commented:
We have a lot of pop3 users. So it seems i cant turn off relay. I have however created a group and added all relevant users to that and granted that permission to relay instead of all authenticated users.

I now cannot seem to log in as my test user account through webmail. I have used another account which was already there as I knew the password and that logs in ok, but has not received any mails all day.

Simon, what would i look for in eventvwr to see which account was compromised?

I have GFI Mailsecurity installed and running.
jamiegfAuthor Commented:
Sorry - i can actually log in now. 4th time trying worked.
The account can send and receive emails.

Would still be nice to find which account was hacked.
Simon Butler (Sembee)ConsultantCommented:
Take a look at my clean up article.

Peter HutchisonSenior Network Systems SpecialistCommented:
All messages that are sent or received through Exchange are logged in message tracking logs. You can search throught the logs using sender, recipient address and message subject. The logs are text files so you can use FIND command in dos or open them in Excel to search specific logs. Alternatively you can use System Manager to search the logs.
jamiegfAuthor Commented:
Thank you. I created a group as the link advised and added authentication to the group rather than "authenticated users" and added this to relay.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.