Determine method of compromise
I don't know how best to ask this question, so I would like to present my problem and see if anyone has any ideas on how to help.I am running Exchange 2003 SP2 (Build 7638.2) on Server 2003 R2 SP2.In the last 15 days, I have had 2 user accounts sending out large amounts of SPAM from my Exchange server. In both cases, these were valid user accounts. And in both cases, we do not believe that this was done intentionally.My suspicion is that their computer has been infected with some malware, and that this malware is utilizing their connection to our Exchange server to send out this junk.As a reaction, in both cases, I have simply disabled the user's account, disable outbound email, and purge the queues of this junk.My questions then are as follows.First, how can I determine how the messages were submitted (e.g. RPC over HTTP, directly from Outlook, or some other technique)? These message do appear in the user's sent items folder.Second, how can I prevent this from occurring in the future?Third, how can I detect this in such a way as to minimize the number of these messages that successfully escape from my server?Any help would be greatly appreciated!
March 2nd, 2009 9:06pm

Hi,This might help:http://www.vamsoft.com/authattack.aspLeif
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2009 1:49am

Indeed, it does seem to be the answer. Now the question is what can I do to prevent abuse of my server using SMTP Auth?Also, I discovered that in both cases, my users replied to a phishing email generated from a windowslive.com and a live.com email address. Who should I notify at Microsoft regarding these addresses?Richard
March 3rd, 2009 6:36pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics