Announcement

Collapse
No announcement yet.

Single user account sending spam?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Single user account sending spam?

    Hello.

    Exchange 2003, Windows 2003 Server.

    I have a single user account that is being used to send spam, creating and filling queues in Exchange by the hundreds. When I disable the account the spam stops. I've changed the password on the account thinking it was compromised but as soon as I activate the account the spam begins again.

    I have confirmed that open relaying does not exist. I currently have message tracking turned off as the log file exploded overnight filling the drive and stopping Exchange in its tracks (which is how I found out about this).

    Can someone help?

    Thanks in advance.

  • #2
    Re: Single user account sending spam?

    I presume the account belongs to a live user?
    Check their PC (or any PC they may have used) for malware
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Single user account sending spam?

      It is a live user, but one that only uses Outlook Web Access for email. I've checked their laptop that they use at work but there's nothing on it, and it isn't signed onto webmail anyway.

      Thanks. Keep 'em coming! I've been crawling through forum posts all day but have yet to find anything pertaining to this specific situation.

      Comment


      • #4
        Re: Single user account sending spam?

        Is anything allowed to relay? I know you said that it's not open but do you have any exceptions for the local subnet or specific IP addresses?
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Single user account sending spam?

          There are two relays allowed.

          1. From a specific server IP, that sends email via our Exchange box.
          2. From the IP of a firewall at a remote site. (So, if NAT'ing is involved, it could feasibly send from anything behind that address)

          That second one is ugly, and I just locked it down now. However, as the subnet is our management network and is strictly controlled, I'm not too sure that that is where the problem lies. Still, it shouldn't exist.

          I'd like to uncheck "Allow all computers that authenticate to relay", but as most of our users only use Outlook Web Access, I can't.

          Comment


          • #6
            Re: Single user account sending spam?

            Originally posted by Kevindv10 View Post

            I'd like to uncheck "Allow all computers that authenticate to relay", but as most of our users only use Outlook Web Access, I can't.
            That setting has nothing to do with OWA.
            It can be turned off without OWA being involved at all. It is for SMTP clients like Outlook Express etc - OWA doesn't use SMTP to send email.

            As well as changing the password, you need to reset IIS. That will break the session that the spammer has established.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Single user account sending spam?

              Great, thanks for the info. I've unchecked it, and I've removed Authenticated Users from the "Grant or Deny Relay Permissions to Specific Users". Under those settings Authenticated Users had the submit permission (not relay permissions). Hopefully it's okay to make that change, and maybe someone can confirm that.

              I've restarted IIS and was about to enable the account when I noticed that more spam is showing up in the queues. It all appears to be sending from the disabled account.

              Comment


              • #8
                Re: Single user account sending spam?

                If the account has been abused in the usual way, then a lot of the email will be cached and you have to wait for the cache to empty. When a spammer has managed to compromise an account they will abuse it as much as possible, sending many 1000s of the messages. Exchange can't display or cope with all of those and therefore will take time to process them.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Single user account sending spam?

                  Thought I'd post this to maybe help someone in the future. I ended up changing the message expiry date on the queue in order to speed up the process of these message expiring. Eventually the queue cleared and we didn't even get blacklisted.

                  And then one of the virtual disks corrupted...but that's another story.

                  Thanks everyone.

                  Comment

                  Working...
                  X