General discussion

Locked

Exchange 2003 Rouge outgong emails

By denis.cadogan ·
I am running SBS 2003 with Exchange 2003, this computer connects to the
internet through ISA server that resides on another w2k server! Over the past
few weeks lots of messages are in the queue that don?t seem to be real. Here
is some information that I have put together to help;

SBS Connector - 0451.com 22 messages to random usernames@0451.COM (INVALID
EMAIL) from postmaster@disability-federation.ie
SBS Connector - 0733.com 10 messages to random usernames@0733.COM (INVALID
EMAIL)
SBS Connector - 006.com - Sender: postmaster@disability-federation.ie -
Subject: <Subject Hidden> - Recipients: SMTP:andy-w@006.com;

The above are a few samples of the messages that are found in the queue! Could the exchange server be compramised in some way
Could someone please advise!
Many Thanks

Denis Cadogan

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Exchange 2003 Rouge outgo ...

sounds like it but if Exchange is configured to not relay and is behind a properly configured ISA server then someone hacking in is remote at best.


I'd say inside job. Someone is sending junk mail out and because Exchange won't relay, they may get stuck.

Collapse -

by CG IT In reply to Exchange 2003 Rouge outgo ...

usernames@0451.COM isn't your domain. disability-federation.ie is your domain.

0451.com on a whois lookup comes up with this result.

Domain Name:0451.com

Registrant:
Heilongjiang Public Information Industrail Co.LTD

Administrative Contact:
Jin XueHua
Heilongjiang Public Information Industiral Co.Ltd
China

ISA server is a pretty secure perimeter firewall and proxy server. I find it difficult that a hacker was able to get past ISA without some heavy duty lenghty determined effort that should have been noticed.

Do a AV scan. check and doublecheck user accounts. check the security logs.

Collapse -

by CG IT In reply to

I'd do a online AV check with some of the online AV services like Symantec just to check to make sure that your AV isn't excluding a trojan or other malicious program.

Collapse -

by evkuo In reply to Exchange 2003 Rouge outgo ...

You should look into the queue and see if you can open some of them up. I usually just browse to the %ExchangeRoot%\Mailroot\vsi 1\Queue

Collapse -

by evkuo In reply to

Sorry about that. Hit submit too soon...

Collapse -

by evkuo In reply to Exchange 2003 Rouge outgo ...

You should look into the queue and see if you can open some of them up. I usually just browse to the %ExchangeRoot%\Mailroot\vsi 1\Queue directory and you should be able to see them if they're just queued up (check Exchange System Manager and look the queues). They're just text files so you should be able to open them up in Notepad or whatever.

Since these are all from postmaster, they could all be NDR's from someone trying to spam your server.

Back to Windows Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums