Exchange Server Forums

Hack issue

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2003] >> Server Security >> Hack issue

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

Hack issue - 8.Apr.2008 12:45:45 PM

guitarman

Posts: 141
Joined: 9.Jan.2006
Status: online

There was a user that we had working for us that left on bad terms. He is now somehow flooding us with emails and attachments. The following message is what it says:

This is an automatically generated Delivery Status Notification.
Your message has been successfully relayed to the following recipients, but the requested delivery status notifications may not be generated by the destination.
2k.karimkhalil@gmail.com

The user logged in to our terminal server. I see the emails coming in to the out box of his email account and then they are sent. There is no rule configured what soever. When I go in to the email options to try and change the behaviour of send/recieve I can uncheck the send immediatley when connected but I when I click on the sendrecive button nothing happens and I can't get in to it. Obviously this person has done something. Nothing is evident in add remove programs that they have installed a third party program. I can find nothing in task manager of a process running that would do this.
The message is generated from postmaster. I can't find out the source of this but I need to stop this flooding. Does anyone have any ideas?

< Message edited by guitarman -- 8.Apr.2008 1:00:59 PM >

Post #: 1

Featured Links*

RE: Hack issue - 8.Apr.2008 1:55:06 PM

uemurad

Posts: 5489
Joined: 7.Jan.2004
From: California, USA
Status: online

I don't completely understand what is happening, but I'd start by doing everything possible to block his access to your systems. Why can he still log in to your Terminal Server? Why does he still have an active Email account? If he can authenticate into your AD domain, he could still launch an attack by using telnet and SMTP commands.

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to guitarman)

Post #: 2

RE: Hack issue - 8.Apr.2008 2:04:10 PM

guitarman

Posts: 141
Joined: 9.Jan.2006
Status: online

He can't log in. I have changed the password but my company wanted to keep the account active as there are still clients sending email to that address. When I logged on to his account I could see emails going in to the outbox automatically. They were being relayed to his gmail account. The account would then get the following message back.

This is an automatically generated Delivery Status Notification.
Your message has been successfully relayed to the following recipients, but the requested delivery status notifications may not be generated by the destination.
2k.karimkhalil@gmail.com

When I opened up the text attachment with this email from the post master this is what I would see:

Reporting-MTA: dns;mail.frontlinefocus.com
Final-Recipient: rfc822;2k.karimkhalil@gmail.com
Action: relayed
Status: 2.5.0
X-Display-Name: '2k.karimkhalil@gmail.com'

There was also an attachment named "Untitiled" that contained emails and company information that was being sent back to his gmail account. Obviously stealing company information.

(in reply to uemurad)

Post #: 3

RE: Hack issue - 8.Apr.2008 2:17:16 PM

uemurad

Posts: 5489
Joined: 7.Jan.2004
From: California, USA
Status: online

First - Forwarding: That can only be configured in AD for the user object, or in Outlook using mailbox rules. Once you remove any forwarding from those two places, no one without access to your systems can reinstate it.

Second - The account: Is there a reason to keep the actual account? You can move the SMTP address to any other AD object. What is your company doing with the Email still coming in?

_____________________________

Regards,

Dean T. Uemura
Microsoft MVP - Exchange
exchangeguy.blogspot.com
uemurad@yahoo.com

(in reply to guitarman)

Post #: 4

RE: Hack issue - 8.Apr.2008 6:49:24 PM

rprewitt

Posts: 18
Joined: 4.Apr.2008
Status: offline

Sounds to me like he may not be accessing his account.

He set up a fowarding address and those emails that you were reading with company information is probably just a notification of a regular email being forwarded.

In Active Directory Users and Computers:
1: First check the forwarding status on the account
Go to the account in question, go to properites, go to the Exchange General Tab, click the Delivery Options button, in the forwarding address section, make sure that its selected as none. (My money says that his gmail account is listed there)

What I do when an employee leaves and I have to keep the email account active:

In Active Directory Users and Computers:
2: If you have to keep his email active for incoming emails do this:
Find out who needs the emails, change the former employee's email address to something obscure basically nulling his account. Go to Email Addresses tab and edit his email address to a series of number/letters doesnt matter what. Then go to the properties of the account that you want to receive his emails and go to Email Addresses tab and add the former employee's email address. Just remember to hide the former employee's email account from your company address book. Exchange Advanced tab, check the hide from address book option. When you no longer need the emails from that account, just remove that email address from his list.

(in reply to uemurad)

Post #: 5