• From: "KEN MORRIS" <KMORRIS@xxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 4 Sep 2003 10:04:07 -0400


This morning I walked into check my NDR's and found many (about 100 or so
since 1am today) reports being sent to me, When I take a look at my logs, I
am finding many event ID 1208 & 1209 messages about the IS maintenance. All
of the messages "appear" to be originating from a different domain than ours.

I was taking a look at my logons and have multiple entries of a logon for
"systemmailbox" with an ACL beside it. All at times of the day when no one is
in the building. I am still receiving the NDR's and would like to know what
steps anyone can recommend to stop this.

The server is W2K sp4 latest patches as of Tuesday morning, with E2K SP3. 

Any suggestions on what else I should be looking for, or more information to
help solve this I will gladly supply. Why I am receiving these and has my
server been compromised? Any suggestions/help is greatly appreciated!



Other related posts: