Hello David,
First of all make sure you are closed for relay. Once this is done and if
you are still seeing a spam attack someone may be authenticating with your
server and sending mail. Here is how you try to find the compromised
account:
This section enables logging in the Windows Event Viewer such that any
authentication attempts against the SMTP service (successful or failures)
are logged in the application log.
1. Start Exchange Administrator.
2. Double-click "Servers".
3. Under "Servers", right-click <ServerName>, and then click
"Properties".
4. Click the "Diagnostic Logging" tab.
5. Click "MSExchangeTransport" on the left.
6. On the right, click "SMTP Protocol".
7. Under "Logging Level", click "Maximum".
8. Click "OK" to close "Server Properties".
If a remote user is authenticating against the Exchange Server as part of an
operation to relay SMTP e-mail, you will see an event that is similar to
the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:13:24 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client
<remote_computername>. The authentication method was <LOGIN> and the
username was <company\username>.
In this case, if the relaying appears to come from a hacked account
password, go to the Active Directory Users and Computers snap-in and delete
the account, disable the account, or change the password on the account.
If a remote user is authenticating against the Exchange Server as part of an
operation to relay SMTP e-mail using the guest account, you will see an
event that is similar to the following in the application log:
Event Type: Information
Event Source: MSExchangeTransport
Event Category: SMTP Protocol
Event ID: 1708
Date: 8/13/2003
Time: 10:27:52 AM
User: N/A
Computer: SERVER
Description: SMTP Authentication was performed successfully with client
<remote_computername>. The authentication method was <LOGIN> and the
username was <COMPANY\Guest>.
In this case, the remote user is exploiting the guest account. Use the
Active Directory Users and Computers snap-in to disable the guest account.
Note It is not sufficient to change the password on the guest account. You
must disable the guest account.
Once the offending account is taken care of and you restart the SMTP service
you will see a 1706 and 1707 auth failure in the Application Log.
** If you have no users that use POP you can open the ESM - Go to the
properties of the Default SMTP VS and click the Access Tab. Then click the
Relay button and uncheck "allow all computers which successfully
authenticate..." and restart the SMTP Service. Make sure you do not uncheck
this if you have POP users connecting to the Exchange Server.
--
Jeremy Gazjuk
Microsoft PSS
EMS - XCON Team
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by DavidDear All,
We have the following issue. Some people from Asia connect to our
Exchange Server and the Queue and Badmails folders contains lot of
mail.
After scanning all the ports on the server I see that someone had an
established connection on the port 25 on our server via the
inetinfo.exe.
We have a firewall, all microsoft pachts, a up to date antivirus,
exchange is not configured as relay.
When you terminate the process of the inetinfo.exe, this 'spamming'
stops but few minutes later the spammer connect again to this
application on port 25.
HELP !!!!!!!!
I really appreciate if someone can help me to stop this 'spamming'.
Thx,
David