Who likes MS exchange (2003) ?

[Dave20046]

Again, pushing the boundries with what I can use the .org for but I'm having a bit of a mare with exchange 2003 and it's not my forte...

Basically all emails stopped working, I thought "oh dear" ; the exchange server had been blacklisted and surprise surprise I found a good 100,000+ queued up 'post master' emails. Not a problem I thought it's just a non delivery report attack I'll remove the malware and all will be dandy. Anyhoo I double triple scanned the exchange box and it's connected machine with all anti malwares under the sun, unsurprisingly they both had a few viruses on and the client machine had a spammer on. Removed these, went back to my server and it's still generating these mails. (however I've noted it's not 'postmaster' sort emails anymore they're spoofed senders i.e paypal to random recipients). I've unplugged the client machine and so long as the exchange box has an internet connection it still tries to spam it's little heart out, so the server's the problem...however that's where I'm at a bit of a loss. It's not been set to an open relay as far as I can determine and no antimalware software can detect anything amiss on it.

However something I have noticed is that in the server security logs I had an 'anonymous login' logged from the workstation that had the spammer on (and rootkit too actually + a few viruses), some time after that; a user promoted themselves to having full control of the server, this user is an old member of staff's account and is no longer used (although was not disabled previously ), this same user has been logging in every few hours since that event for a few seconds. I've now stripped their rights disabled the account and locked down all other logins.

Just throwin it out there incase anyone's interested/inclined to help.

Many athankyous

Just unplug it then plug it back in

[Dave20046]

Tried it, no one suggest kicking it or putting quavers in the disk drive either.

[pookie]

are you sure its not a virus on another machine spoofing emails from domain and you are receiving the non delivery messages. I know that an infected machine will try and send out though another mail server over port 25 and thus end up blacklisting your ip address. You can block it at the firewall end and stop all out bound port 25 connections except from your mail server if this is the case. Then check the logs for infected machines which try to connect out over port 25

Other wise try and clean your server again

[Dave20046]

Quote:

Originally Posted by pookie

are you sure its not a virus on another machine spoofing emails from domain and you are receiving the non delivery messages. I know that an infected machine will try and send out though another mail server over port 25 and thus end up blacklisting your ip address. You can block it at the firewall end and stop all out bound port 25 connections except from your mail server if this is the case. Then check the logs for infected machines which try to connect out over port 25

Other wise try and clean your server again

Every machine was (and currently is)disconnected from the network, only the server was connected to the network (there fore only the router and server on the network) and it was still despatching these emails.
The server has been scanned with : superantispyware, malware bytes, microsoft malicious software removal, AVG small business server and spybot search and destroy (all up to date).

I know it's likely I'm falling for a red herring but these security logs are very fishy why was this unused account logging in every hour (at least)24 hours a day for a few seconds? surely related? Well anyway that stopped being logged after I disabled the account. The current logs only show system events and *computername*% every so often.

The firewall's pretty limited in that it's just a domestic style dlink router, with the smtp port open I'll have another explore and see if I can make sure it's only taking connections from the server - however with all clients unplugged, they must be coming from the server anyway?

I've temporarily changed the smtp connector settings in order to clear the queues; I'm going to correct those in a sec and have a play with telnet

[Dave20046]

I've also changed the router admin login credentials and wifi passkey (extremely secure) the building and network is otherwise locked/secure (apart from the internet )