[ExchangeList] Re: How do I diagnose an Spammers use of my system

I can pretty much guarantee that there is not an infected machine in your network.
Bots do not relay their email through a server on the same network. You may want to read my blog posting on this subject: http://www.sembee.co.uk/archive/2008/03/13/73.aspx
 
Logon Type 3, while it usually means another machine on the network, is also used by IIS. Therefore I suspect that you have been the subject of an authenticated user attack, and the spammer has got hold of a user account in your domain. Therefore you need to change the password on that account, and on the administrator account and then restart the SMTP service services. Removing the Exchange store was probably a little over the top, it isn't something I would have done.
 
AV on the workstations and the server will not prove that something didn't get past, but as I don't think you have a BOT on your network this isn't a concern. You need to be looking at the source of the SMTP traffic to begin with, which is probably coming from outside.
 
Simon.

--
Simon Butler
MVP: Exchange, MCSE
Amset IT Solutions Ltd.

e: simon@xxxxxxxxxxx
w: www.amset.co.uk
w: www.amset.info

Need cheap certificates for Exchange, compatible with Windows Mobile 5.0?
http://CertificatesForExchange.com/ for certificates from just $23.99.

 
From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of John L. Gitzen II
Sent: 22 March 2008 16:41
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] How do I diagnose an Spammers use of my system

Exchange Guru's,
 
I could use some help in diagnosing an Attack of Service or possibly a trojan horse running in my system.  Someone found a test email userid which had been left active on our Exchange 2003 Server and is sent out SPAM from our location the better part of Friday and possibly several days earlier.  Once I became aware of the problem I tracked down that outgoing messages from test@xxxxxxxxxxxxx were going out every few seconds.  I have since removed the Exchange Mail Store and disabled the test id and deleted over 7,000 messages pending submission.  I also rebooted our Exchange server and our Domain Controller where the smtp services run. 
 
I reviewed the Event Log on the Exchange Server and I show the user id test being logged on and off many times over the last few days.  I was able to deduce from the Logon Type: 3 that the logon is coming from another computer within my network and is not a Remote Desktop Connection of some sort.  Now the problem is how to find the culprit. 
 
Unfortunately I can not deduce much more from the Event Log - It amazes me that Microsoft would go to the trouble of installing an Event Log Viewer on every machine and yet NEVER document the event log entries themselves!
 
I could use some help in how to deduce the cause, the originating computer, and/or the weakness in our defenses so I can prevent this.
 
To start off -
Domain Controller runs Windows Server 2003 and is still SP1
Exchange Server runs Windows Sever 2003 SP2, up to date.
Servers run BitDefender for File Servers
Exchange Server runs GFI Mail Security and Mail Essentials.
Nearly all computers in our network Run BitDefender Client Professional Plus version 8
 
Suggestions on how to narrow my search would be greatly appreciated!!
 
Thanks In advance
 
John 
Technology Applied 

Other related posts: