[ExchangeList] How do I diagnose an Spammers use of my system

  • From: "John L. Gitzen II" <john_gitzen_ii@xxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Sat, 22 Mar 2008 12:40:30 -0400

Exchange Guru's,
I could use some help in diagnosing an Attack of Service or possibly a
trojan horse running in my system.  Someone found a test email userid which
had been left active on our Exchange 2003 Server and is sent out SPAM from
our location the better part of Friday and possibly several days earlier.
Once I became aware of the problem I tracked down that outgoing messages
from test@xxxxxxxxxxxxx were going out every few seconds.  I have since
removed the Exchange Mail Store and disabled the test id and deleted over
7,000 messages pending submission.  I also rebooted our Exchange server and
our Domain Controller where the smtp services run. 
I reviewed the Event Log on the Exchange Server and I show the user id test
being logged on and off many times over the last few days.  I was able to
deduce from the Logon Type: 3 that the logon is coming from another computer
within my network and is not a Remote Desktop Connection of some sort.  Now
the problem is how to find the culprit.  
Unfortunately I can not deduce much more from the Event Log - It amazes me
that Microsoft would go to the trouble of installing an Event Log Viewer on
every machine and yet NEVER document the event log entries themselves!
I could use some help in how to deduce the cause, the originating computer,
and/or the weakness in our defenses so I can prevent this.
To start off - 
Domain Controller runs Windows Server 2003 and is still SP1
Exchange Server runs Windows Sever 2003 SP2, up to date.
Servers run BitDefender for File Servers
Exchange Server runs GFI Mail Security and Mail Essentials.
Nearly all computers in our network Run BitDefender Client Professional Plus
version 8
Suggestions on how to narrow my search would be greatly appreciated!!
Thanks In advance
Technology Applied  

Other related posts: