Exchange Server Forums

mail server used to send spam. track down the culprit?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2003] >> Server Security >> mail server used to send spam. track down the culprit?

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

mail server used to send spam. track down the culprit? - 26.Mar.2008 8:58:18 AM

cwainright

Posts: 9
Joined: 1.Apr.2005
From: Florida, USA
Status: offline

I've discovered that my front end mail server has been sending out SPAM and I'm having a tough time tracking down the culprit.

I'm seeing lines such as this in my front end server log:

2008-3-25 0:0:34 GMT 74.218.48.125 User - MY_SERVER MY_IP rosselly@hotmail.it 1020 MY_SERVERuylJc0xvlUQ9c000002dc@mail.MYDOMAIN.com 3 0 2122 50 2008-3-21 20:47:21 GMT 0 Version: 6.0.3790.1830 - - BPOL@bancairoma.it -

I can block the IP addresses that they are coming from, however the source addresses keep changing and I'm more concerned as to how this is happening. I've confirmed that my server isn't running an open relay. While I haven't completely ruled out a virus on my mail server, I've been running up to date McAfee Enterprise Scan and Group Shield with 0 detections in the past 30 days.

The best idea I have so far is that something has obtained a user's password, possibly malware on a workstation, and is using that to authenticate and send out mail.

If this were the case, is there any way to see whose credentials are being used to send a message? Is there anything else you can suggest?