Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Spam emails being sent out through my Excahnge 2010 server

Posted on 2016-10-18
Medium Priority
Last Modified: 2016-10-24
I have an Exchange 2010 server and it is now sending out emails by the hundreds from one internal email address that we actually use for our backups.  It is backup@xxxxx.com.  I need help getting this to stop or correcting this.  I am just not sure where to go.  This is actually an email address that we used to use and have but no longer do.

Question by:Lanee Kirby
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +2
LVL 97

Expert Comment

by:John Hurst
ID: 41848797
One of your machines has been hacked and is the culprit.

Can you look at the Exchange Logs and see who (what machine) is sending out the emails via Exchange.
LVL 42

Expert Comment

by:Adam Brown
ID: 41848825
Also make sure your port 25 receive connector isn't configured as an open relay. If you've configured an Open Relay connector for internal devices, make sure it isn't set up to allow access from the Internet.
LVL 63

Accepted Solution

Simon Butler (Sembee) earned 2000 total points
ID: 41848869
I would disagree that it would be a hacked machine - unless the reference is to the Exchange server itself. A hacked machine simply doesn't send email via the Exchange server - that is too much hassle.

My bet is that the account has been compromised - backup@ is on the list of most frequently abused names (I maintain a list based on information from one of my client systems that logs the attacks). As Exchange will allow authenticated relaying if you have enabled it on the receive connector, that is the most likely case.

Therefore the first thing you need to do is change the password on that account. Even if that means reconfiguring backups everywhere else, until you change the password there is nothing you can do to stop the flow.
Once the account has been changed, restart MS Exchange transport. That will break the connection.

As the emails are all from the same user, removing them is easy.
Start with this blog posting:

You will probably have to adjust the parameters to catch the messages if the from field is the same. It will probably take two or three runs to get all of the messages cleared.

If you don't need authenticated relaying enabled on port 25, then disable it - which is the default configuration.
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Expert Comment

by:Naushad shaikh
ID: 41848870
First change the password of that account and if you are not using that account disable it.

then start on working spam prevention and loopholes in your environment .

Author Comment

by:Lanee Kirby
ID: 41848903
I have checked the logs and it appears as if we are being a relay for another external server.  I did find several connectors that did have externally secure checked and I have now corrected that and I have made sure to uncheck aounomous from the permissions that several connectors had checked.  I have rebooted my server but the email queue is still growing by about 2-3 messages a minute. I am not sure what else to try.  Any other suggestions?
LVL 97

Expert Comment

by:John Hurst
ID: 41848919
Are the new emails (queue growing) also from an external source?

Author Comment

by:Lanee Kirby
ID: 41848923
Thanks  That did it.  Changed the password and made the necessary corrections to the connectors. Thanks all!
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41848925
The queues growing is to be expected, but that doesn't mean the problem is still there.
The Exchange queue viewer is not capable of displaying everything that is in the queue when there are a large number of messages in the queue.

Therefore as emails are delivered, more are shown. I have seen queues "grow" on a system that is completely disconnected from the internet because of that fact, so don't worry on that score.

Have you changed the password for that account? If not, then you need to - anything else is a waste of time until you do.

Author Comment

by:Lanee Kirby
ID: 41848957
I did change the password for that account and no more messages in the queue.  However, now I cannot receive any external email.  Ugh!
LVL 97

Expert Comment

by:John Hurst
ID: 41848962
Check the main Exchange setup for that

Author Closing Comment

by:Lanee Kirby
ID: 41857363
Finding the account that was compromised and changing the password fixed my issue.  Thanks so much!!

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question