General discussion

Locked

SMTP junk mailing - any thoughts?

By Assamite ·
Situation,
A client I support has Windows 2K domain (sp4 on all) with AD, running a Exch2K server SP3. Until last week everything was running smooth then for some reason BT blocked SMTP relaying (now resolved), however outbound mail backed up so no notice was taken of the outbound queue. Having restored connectivity the queue remained huge and after examining outbound messages it seems a SPAM MAILER has intergrated itself into the SMTP service. Anyone else had this problem and how did you resolve it? Cant uninstall Exch or Service pack as it says component missing. Everything else works fine, the mailer is local to the server however no AV, trojan, or examination of folders turns up anything new.

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by compgirlfhredi In reply to SMTP junk mailing - any t ...

Exactly WHAT component is missing?

Collapse -

by Assamite In reply to

Poster rated this answer.
Dosent say, suspect SMTP component

Collapse -

by compgirlfhredi In reply to SMTP junk mailing - any t ...

Someone has figured out the password to one of your accounts and is using it to authenticate. The correct solution is to figure out which account is compromised and either disable it or set a strong password on it.

A compromised password can be used for more then just mail relay so you REALLY need to figure out which account is compromised.

You will need to turn back on allow authenticated relay first.

Exact steps for Exchange 2000/2003:
Start->Programs->Microsoft Exchange->System Manager
Find your internet facing server
Select its properties (either select it and type <alt><enter> or hit the property button)
Select the Diagnostics Logging Tab
Select MSExchangeTransport
(Exchange 2000) Select SMTP Protocol
(Exchange 2003) Select Authentication
Change logging to maximum
Hit Apply
Start->Programs->Administrative Tools->Event Viewer
Select Application Log
Select View menu item
Select Filter
Change source event to MSExchangeTransport
Look for Event ID's 1708 for suspicious successful logons.

Collapse -

by Assamite In reply to

Poster rated this answer.
Wasnt tracing authentication so that helped me, seems someone managed to replace the SMTP service somehow. Forced everyone to change passwords and forced the clients manager levels to ensure hard passwords used. I've now manually removed Exchange, reinstalled, and recovered the exchange databases so all's well. spam stopped immediately after I replaced the exchange install. Very Odd

Collapse -

by Assamite In reply to SMTP junk mailing - any t ...

This question was closed by the author

Back to Software Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums