Avatar of Jack Cretney
Jack Cretney
Flag for United States of America asked on

I have an exchange server that is sending multiple spam messages

I have an old Exchange server 2003 that starts sending out garbage emails at a rate of 3 a minute.  After 10 minutes the SMTP connector stops responding and it cannot be restarted without restarting the entire system.  I have ran virus scans using Malwarebytes on all systems and can say that everything on the network is clean.  We own 5 different Public IP addresses but only have need for one.  We have been blacklisted because of this activity so I have changed the MX records to point at a new IP address.  This obviously fixes the blacklisting but we still get the surge of bad messages.  I went and deleted thousands of messages in the queue folder I have made many changes to the SMTP connector for relaying and where things stand right now is all users are at least receiving mail but all outgoing mail sits in the outgoing queues but will go if I force the connection on a specific address.  In the queue I am seeing the bad messages but I am not forcing them.  The one difference with this site is that they are not forwarding to a  smarthost they are using DNS to route address space.
Any ideas??  This server will be replaced next year.
SBSExchange

Avatar of undefined
Last Comment
Scott C

8/22/2022 - Mon
Scott C

Well first of all you cannot be certain that the system is clean.  Both Windows Server 2003 and Exchange 2003 are no longer receiving security updates from Microsoft, so it's entirely possible the system has been compromised.

Just because Malwarebytes says the server is clean doesn't mean it really is.  

I know  budgets are a concern but getting rid of this system next year is a bad idea  You need to get rid of this system now.  Security issues will only become a bigger problem the longer you wait.

I work for an MSP and some of our clients have been dragging their heels on upgrading and now they are paying the price.
Jack Cretney

ASKER
The problem is the firm is pretty much disbanding because of attrition.  The main guys are retiring and just want to make it to the end of the year.  Then the company changes owners and the money will be there. I need to figure a way to put a band aid on this one.
Scott C

How many users are we talking about here?  Would a move to Office 365 be an option?

You can still keep the same domain name and continue on for the rest of the year.

The only reason I'm suggesting this is because we don't know your system hasn't been compromised and there might not be a Band-Aid for this.

If it's a small  number of users you could get this taken care of in a day.

Example of how easy to set this up here:

https://www.youtube.com/watch?v=oxit12z9sd4

Costs would be minimal.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Jack Cretney

ASKER
I have setup other accounts with Office 365 so I am familiar with setting up the domain.  If there is  nothing else I can do about the existing exchange server it might be my only recourse.
Scott C

Ok.  Maybe we can narrow this down a bit.  I've been thinking about it.

It's possible that the server is compromised but maybe it's not.  What we can do to narrow it down would be to turn off ALL of the clients and see if the SPAM is still being sent.

If it is, then you know it's the server.  If the Spam stops, then you know it's originating with a client.

Turn them on one by one until the Spam starts again.

If this pans out you can then turn your attention to that client or clients.
Jack Cretney

ASKER
I should have added that to my description. I had all workstations power off at the end of the day.  At night I cleared the queues and rebooted the server and I still had junk mail errors in the application event log afterwards. It seems to have cleared up some when I changed a few things with my SMTP connector settings with regards to relaying.  I cant find a pattern.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
Scott C

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.